This is a security release.
Notable Changes
- CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
- CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
- CVE-2024-22018 - fs.lstat bypasses permission model (Low)
- CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)
- CVE-2024-37372 - Permission model improperly processes UNC paths (Low)
Commits
- [
60e184a6e4] - lib,esm: handle bypass network-import via data: (RafaelGSS) nodejs-private/node-private#522 - [
025cbd6936] - lib,permission: support fs.lstat (RafaelGSS) nodejs-private/node-private#486 - [
d38ea17341] - lib,permission: disable fchmod/fchown when pm enabled (RafaelGSS) nodejs-private/node-private#584 - [
1ba624cd3b] - src: handle permissive extension on cmd check (RafaelGSS) nodejs-private/node-private#596 - [
2524d00c3d] - src,permission: fix UNC path resolution (RafaelGSS) nodejs-private/node-private#581 - [
484cb0f13c] - src,permission: resolve path on fs_permission (Rafael Gonzaga) #52761