CVE-2024-22018 is a security vulnerability identified in the Node.js runtime environment, specifically affecting users of the experimental permission model when the --allow-fs-read flag is enabled. Node.js versions 20 and 21, among others listed, are impacted if this experimental feature is in use. The vulnerability stems from an inadequate permission enforcement mechanism within the fs.lstat API, which is used to retrieve file metadata (file stats). Normally, file system permissions should prevent unauthorized access to file metadata for files without explicit read permissions. However, due to this flaw, malicious actors can bypass these restrictions and obtain file stats for files they are not authorized to read. This can lead to information disclosure about the file system structure, file sizes, modification times, and other metadata, which could be leveraged in further attacks such as targeted exploitation or reconnaissance. The vulnerability does not allow modification or deletion of files, nor does it enable reading file contents, limiting its impact to confidentiality leakage of metadata only. The CVSS v3.0 score assigned is 2.9 (low severity), reflecting the limited impact and the requirement that the attacker must have local access (attack vector: local) and the presence of high attack complexity. No privileges or user interaction are required, but the scope is unchanged and the impact is limited to confidentiality. At the time of disclosure, the experimental permission model is not widely adopted, which further reduces the exposure. There are no known exploits in the wild, and no official patches or mitigations have been linked yet, though it is expected that future Node.js releases will address this issue once the permission model matures.

For European organizations, the impact of CVE-2024-22018 is generally low but context-dependent. Organizations using Node.js with the experimental permission model enabled and the --allow-fs-read flag are at risk of metadata leakage. This could be relevant for development environments, internal tools, or experimental deployments rather than production systems, as the permission model is not yet mainstream. The leakage of file metadata could aid attackers in mapping file system layouts or identifying sensitive files, potentially facilitating more targeted attacks or privilege escalation attempts. However, since the vulnerability does not allow reading file contents or modifying files, the direct impact on confidentiality, integrity, and availability is limited. European organizations with strict data protection regulations (e.g., GDPR) should still consider the risk of any unauthorized information disclosure, even if limited to metadata. The vulnerability is unlikely to cause widespread disruption but could be leveraged in multi-stage attacks, especially in environments where Node.js is used for critical internal applications or where local attacker presence is possible.

1. Avoid enabling the experimental permission model with the --allow-fs-read flag in production or sensitive environments until the vulnerability is fully addressed. 2. Monitor Node.js release notes and update to patched versions once available, especially for versions 20 and 21. 3. Restrict local access to systems running Node.js with the experimental permission model to trusted users only, minimizing the risk of local exploitation. 4. Conduct internal audits to identify any usage of the experimental permission model and the --allow-fs-read flag in development or production environments. 5. Implement strict file system permissions and access controls to limit the exposure of sensitive files, reducing the value of metadata leakage. 6. Use containerization or sandboxing to isolate Node.js processes, limiting the scope of potential information disclosure. 7. Employ runtime monitoring and anomaly detection to identify unusual file system access patterns that could indicate exploitation attempts. 8. Educate developers and system administrators about the experimental nature of the permission model and associated risks to prevent inadvertent enabling of vulnerable configurations.