CVE-2024-22020

2024-07-0902:15:09

Debian Security Bug Tracker

security-tracker.debian.org

node.js

network import

data urls

arbitrary code

system security

vulnerability

import restriction

security risk

CVSS3

6.5

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H

AI Score

7.5

Confidence

Low

EPSS

Percentile

16.0%

JSON

A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers.

OSVersionArchitecturePackageVersionFilename
Debian12allnodejs<= 18.19.0+dfsg-6~deb12u2nodejs_18.19.0+dfsg-6~deb12u2_all.deb
Debian11allnodejs< 12.22.12~dfsg-1~deb11u4nodejs_12.22.12~dfsg-1~deb11u4_all.deb
Debian999allnodejs< 20.15.1+dfsg-1nodejs_20.15.1+dfsg-1_all.deb
Debian13allnodejs< 20.15.1+dfsg-1nodejs_20.15.1+dfsg-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	nodejs	<= 18.19.0+dfsg-6~deb12u2	nodejs_18.19.0+dfsg-6~deb12u2_all.deb
Debian	11	all	nodejs	< 12.22.12~dfsg-1~deb11u4	nodejs_12.22.12~dfsg-1~deb11u4_all.deb
Debian	999	all	nodejs	< 20.15.1+dfsg-1	nodejs_20.15.1+dfsg-1_all.deb
Debian	13	all	nodejs	< 20.15.1+dfsg-1	nodejs_20.15.1+dfsg-1_all.deb