CVE-2024-22020

MEDIUM

Node.js < 18.20.4, 20.0-20.15.1, 22.0-22.4.1 - Remote Code Execution via Data URL Network Import Bypass

Title source: llm

Description

A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers.

References (4)

Core 4

Core References

Third Party Advisory

https://hackerone.com/reports/2092749

Mailing List

http://www.openwall.com/lists/oss-security/2024/07/11/6

Mailing List

http://www.openwall.com/lists/oss-security/2024/07/19/3

Vendor Advisory

https://security.netapp.com/advisory/ntap-20241122-0006/

Scores

CVSS v3 6.5

EPSS 0.0013

EPSS Percentile 32.3%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (19)

NodeJS/Node 10.0 - 10.*

NodeJS/Node 11.0 - 11.*

NodeJS/Node 12.0 - 12.*

NodeJS/Node 13.0 - 13.*

NodeJS/Node 14.0 - 14.*

NodeJS/Node 15.0 - 15.*

NodeJS/Node 16.0 - 16.*

NodeJS/Node 17.0 - 17.*

NodeJS/Node 18.0 - 18.20.4

NodeJS/Node 19.0 - 19.*

... and 9 more

Published Jul 09, 2024

Tracked Since Feb 18, 2026