CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-22020: A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute...

6.5 CVSS

Description

A security flaw in Node.js allows a bypass of network import restrictions.
By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.
Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.
Exploiting this flaw can violate network import security, posing a risk to developers and servers.

Classification

CVE ID: CVE-2024-22020

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.5

CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H

Affected Products

Vendor: Node.js

Product: Node.js

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 18.39% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://hackerone.com/reports/2092749
http://www.openwall.com/lists/oss-security/2024/07/11/6
http://www.openwall.com/lists/oss-security/2024/07/19/3

Timeline

2025-02-14 00:31:30 UTC
CVE

A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute...
2025-02-21 09:46:08 UTC
Tenable Plugins

Azure Linux 3.0 Security Update: nodejs / nodejs18 (CVE-2024-22020)