CVE-2024-22017

HIGH

Node.js >=18.18.0 - Privilege Escalation

Title source: llm

Description

setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.

Exploits (1)

nomisec WORKING POC

by SpiralBL0CK · poc

https://github.com/SpiralBL0CK/cve-2024-22017_to_test

View Code ZIP pw:eip

References (3)

[Third Party Advisory] https://hackerone.com/reports/2170226

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20240517-0007/

[Mailing List] http://www.openwall.com/lists/oss-security/2024/03/11/1

Scores

CVSS v3 7.3

EPSS 0.0088

EPSS Percentile 75.4%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-250

Status published

Products (17)

NodeJS/Node 10.0 - 10.*

NodeJS/Node 11.0 - 11.*

NodeJS/Node 12.0 - 12.*

NodeJS/Node 13.0 - 13.*

NodeJS/Node 14.0 - 14.*

NodeJS/Node 15.0 - 15.*

NodeJS/Node 16.0 - 16.*

NodeJS/Node 17.0 - 17.*

NodeJS/Node 19.0 - 19.*

NodeJS/Node 20.0 - 20.11.1

... and 7 more

Published Mar 19, 2024

Tracked Since Feb 18, 2026