Valette

Name of the Vulnerable Software and Affected Versions: Node.js versions 18.18.0 and later Node.js versions 20.4.0 and later Node.js versions 21 and later Description: The issue is related to the setuid() function not affecting libuv's internal io uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). The vulnerability may be exploited to elevate privileges. Recommendations: For Node.js versions 18.18.0 and later: Update to a version that includes a fix for this issue. For Node.js versions 20.4.0 and later: Update to a version that includes a fix for this issue. For Node.js versions 21 and later: Update to a version that includes a fix for this issue. As a temporary workaround, consider disabling the use of setuid() and libuv's internal io uring operations until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.