CVE-2024-22020

Description

A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers.

How to fix CVE-2024-22020

To remediate CVE-2024-22020, upgrade the affected package to a fixed version below.

• —upgrade to 20.15.1-r0 or later
• —upgrade to 18.20.4 or later
• —upgrade to 18.20.5 or later
• —upgrade to 18.20.4+dfsg-1~deb12u1 or later

Is CVE-2024-22020 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 20.15.1-r0
• from 0, < 18.20.4, >= 19.0.0, < 20.15.1, >= 21.0.0, < 22.4.1
• from 0, < 18.20.5, >= 19.0.0, < 20.18.1, >= 21.0.0, < 22.12.0
• from 0, < 18.20.4+dfsg-1~deb12u1

CVSS scores

References (10)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2024-22020
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-22020
• WEBgithub.com/nodejs/node/releases/tag/v18.20.4
• WEBgithub.com/nodejs/node/releases/tag/v20.15.1
• WEB