CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-22017: setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform...

7.3 CVSS

Description

setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid().
This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid().
This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.

Classification

CVE ID: CVE-2024-22017

CVSS Base Severity: HIGH

CVSS Base Score: 7.3

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L

Affected Products

Vendor: Node.js

Product: Node.js

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 18.39% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://hackerone.com/reports/2170226
http://www.openwall.com/lists/oss-security/2024/03/11/1
https://security.netapp.com/advisory/ntap-20240517-0007/

Timeline

2025-02-14 00:31:30 UTC
CVE

setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform...