PT-2024-6045 · Node.Js+7 · Node.Js+7
Dittyroma
·
Published
2024-07-08
·
Updated
2026-05-18
·
CVE-2024-22020
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Node.js versions prior to 18.20.4
Node.js versions prior to 20.15.1
Node.js versions prior to 22.4.1
Description
A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. The vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers.
Recommendations
Update to Node.js version 18.20.4 or newer.
Update to Node.js version 20.15.1 or newer.
Update to Node.js version 22.4.1 or newer.
As a temporary workaround, consider forbidding data URLs in network imports until a patch is available.
Fix
Improper Access Control
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Almalinux
Centos
Debian
Node.Js
Red Hat
Red Os
Rocky Linux
Suse