CVE-2024-22017

HIGH

Node.js >=18.18.0 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-22017. PoCs published by SpiralBL0CK.

AI-analyzed exploit summary The repository contains a functional PoC for CVE-2024-22017, demonstrating a local privilege escalation (LPE) via Node.js child process manipulation. The exploit leverages `process.setuid` and spawns a command shell to verify elevated privileges.

Description

setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.

Exploits (1)

nomisec WORKING POC

by SpiralBL0CK · poc

https://github.com/SpiralBL0CK/cve-2024-22017_to_test

View Code ZIP pw:eip

The repository contains a functional PoC for CVE-2024-22017, demonstrating a local privilege escalation (LPE) via Node.js child process manipulation. The exploit leverages `process.setuid` and spawns a command shell to verify elevated privileges.

Classification

Working Poc 80%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Node.js (versions affected by CVE-2024-22017)

No auth needed

Prerequisites: Node.js environment with vulnerable version · Local access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory

https://hackerone.com/reports/2170226

Vendor Advisory

https://security.netapp.com/advisory/ntap-20240517-0007/

Mailing List

http://www.openwall.com/lists/oss-security/2024/03/11/1

Scores

CVSS v3 7.3

EPSS 0.0089

EPSS Percentile 54.6%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-250

Status published

Products (17)

NodeJS/Node 10.0 - 10.*

NodeJS/Node 11.0 - 11.*

NodeJS/Node 12.0 - 12.*

NodeJS/Node 13.0 - 13.*

NodeJS/Node 14.0 - 14.*

NodeJS/Node 15.0 - 15.*

NodeJS/Node 16.0 - 16.*

NodeJS/Node 17.0 - 17.*

NodeJS/Node 19.0 - 19.*

NodeJS/Node 20.0 - 20.11.1

... and 7 more

Published Mar 19, 2024

Tracked Since Feb 18, 2026