Fluid Attacks Database

Description

An incomplete fix for CVE-2024-36137 leaves FileHandle.chmod() and FileHandle.chown() in the promises API without the required permission checks, while their callback-based equivalents (fs.fchmod(), fs.fchown()) were correctly patched.

As a result, code running under --permission with restricted --allow-fs-write can still use promise-based FileHandle methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.

This vulnerability affects 20.x, 22.x, 24.x, and 25.x processes using the Permission Model where --allow-fs-write is intentionally restricted.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	nodejs	=20.19.2+dfsg-1 \|\| =20.19.2+dfsg-1+deb13u1 \|\| >=0 <20.19.2+dfsg-1+deb13u2	20.19.2+dfsg-1+deb13u2
rpm rhel10	nodejs24	<1:24.14.1-2.el10_1	1:24.14.1-2.el10_1
alpine v3.23	nodejs	=22.11.0-r0 \|\| =22.11.0-r1 \|\| =22.11.0-r2 \|\| =22.13.1-r0 \|\| =22.13.1-r1 \|\| =22.13.1-r2 \|\| =22.13.1-r3 \|\| =22.13.1-r4 \|\| =22.13.1-r5 \|\| =22.16.0-r0 \|\| =22.16.0-r1 \|\| =22.16.0-r2 \|\| =22.16.0-r3 \|\| =22.19.0-r3 \|\| =22.19.0-r4 \|\| =22.21.0-r0 \|\| =24.11.1-r0 \|\| =24.13.0-r0 \|\| =24.13.0-r1 \|\| >=0 <24.14.1-r0	24.14.1-r0
debian 14	nodejs	=20.19.2+dfsg-1 \|\| =20.19.4+dfsg-1 \|\| =20.19.5+dfsg+~cs20.19.12-1 \|\| =20.19.5+dfsg+~cs20.19.12-2 \|\| =20.19.5+dfsg+~cs20.19.12-3 \|\| =20.19.5+dfsg+~cs20.19.12-4 \|\| =20.19.5+dfsg+~cs20.19.24-1 \|\| =22.12.0+dfsg-1 \|\| =22.12.0+dfsg-2 \|\| =22.12.0+dfsg-3 \|\| =22.14.0+dfsg-1 \|\| =22.18.0+dfsg+~cs22.17.2-1 \|\| =22.18.0+dfsg+~cs22.17.2-2 \|\| =22.18.0+dfsg-1 \|\| =22.19.0+dfsg+~cs22.18.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-2 \|\| =22.21.1+dfsg+~cs22.19.0-3 \|\| =22.21.1+dfsg+~cs22.19.0-4 \|\| =22.21.1+dfsg+~cs22.19.0-5 \|\| =22.21.1+dfsg+~cs22.19.0-6 \|\| =22.22.0+dfsg+~cs22.19.13-1 \|\| =22.22.0+dfsg+~cs22.19.13-2 \|\| =22.22.0+dfsg+~cs22.19.6-1 \|\| =22.22.1+dfsg+~cs22.19.15-1 \|\| >=0 <22.22.2+dfsg+~cs22.19.15-1	22.22.2+dfsg+~cs22.19.15-1
alpine v3.22	nodejs	=22.11.0-r0 \|\| =22.11.0-r1 \|\| =22.11.0-r2 \|\| =22.13.1-r0 \|\| =22.13.1-r1 \|\| =22.13.1-r2 \|\| =22.13.1-r3 \|\| =22.13.1-r4 \|\| =22.13.1-r5 \|\| =22.16.0-r0 \|\| =22.16.0-r1 \|\| =22.16.0-r2 \|\| =22.22.0-r0 \|\| >=0 <22.22.2-r0	22.22.2-r0
rpm rhel8	nodejs	-	-
rpm rhel9	nodejs	-	-
rpm rhel10	nodejs22	-	-
alpine v3.21	nodejs	=22.11.0-r0 \|\| =22.11.0-r1 \|\| =22.13.1-r0 \|\| =22.15.1-r0 \|\| >=0 <22.22.2-r0	22.22.2-r0

Aliases

1. CVE-2026-217162. NVD-2026-217163. OSV-DEBIAN-2026-217164. OSV-2026-217165. OSV-ALPINE-2026-217166. SECURITY-TRACKER-CVE-2026-217167. SECURITY-CVE-2026-21716

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.