Dittyroma

**Name of the Vulnerable Software and Affected Versions** Node.js versions prior to 18.20.4 Node.js versions prior to 20.15.1 Node.js versions prior to 22.4.1 **Description** A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. The vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers. **Recommendations** Update to Node.js version 18.20.4 or newer. Update to Node.js version 20.15.1 or newer. Update to Node.js version 22.4.1 or newer. As a temporary workaround, consider forbidding data URLs in network imports until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Node.js versions prior to the fixed version **Description** Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This issue affects users of any active release line of Node.js, but the vulnerable feature is only available if Node.js is started with the `--experimental-wasm-modules` command line option. **Recommendations** As a temporary workaround, consider disabling the `--experimental-wasm-modules` command line option until a patch is available. Restrict access to the WebAssembly module to minimize the risk of exploitation. Avoid using the vulnerable feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.