CVE-2024-22020
LowVulnerability Description
A security flaw in Node.js allows a bypass of network import restrictions.
By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.
Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.
Exploiting this flaw can violate network import security, posing a risk to developers and servers.
2025-Feb-CVE-2024-22020
CVE-2024-22020: None
CPUJAN2025
Oracle Critical Patch Update Advisory - January 2025
References & Resources
-
http://www.openwall.com/lists/oss-security/2024/07/11/6support@hackerone.com
-
http://www.openwall.com/lists/oss-security/2024/07/19/3support@hackerone.com
-
https://hackerone.com/reports/2092749support@hackerone.com
-
http://www.openwall.com/lists/oss-security/2024/07/11/6af854a3a-2127-422b-91ae-364da2661108
-
http://www.openwall.com/lists/oss-security/2024/07/19/3af854a3a-2127-422b-91ae-364da2661108
-
https://hackerone.com/reports/2092749af854a3a-2127-422b-91ae-364da2661108
-
https://security.netapp.com/advisory/ntap-20241122-0006/af854a3a-2127-422b-91ae-364da2661108
Severity Details
Weakness Type (CWE)
Improper Control of Generation of Code ('Code Injection')
- Description
- The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- Exploit Likelihood
- Medium
- Typical Severity
- High
- OWASP Top 10
- A03:2021-Injection
- Abstraction Level
- Base
Key Information
- Published Date
- July 09, 2024
