CVE-2024-22020

Name

CVE-2024-22020

Description

A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
	https://hackerone.com/reports/2092749
	http://www.openwall.com/lists/oss-security/2024/07/11/6
	http://www.openwall.com/lists/oss-security/2024/07/19/3
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20241122-0006/

Source package	Min version	Max version
node.js	>= 0	<= 21.6.1
node.js	>= 0	<= 20.11.0
node.js	>= 0	<= 18.19.0

Source package	Branch	Version	Maintainer	Status
nodejs	3.20-main	20.15.1-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
nodejs	3.19-main	20.15.1-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed

References

Match rules

Vulnerable and fixed packages