CVE-2024-22020

CWE-94Code InjectionCWE-284Improper Access ControlCWE-416Use After Free10 documents7 sources
Severity
6.5MEDIUM
EPSS
0.1%
top 67.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nodejs Node
Timeline
PublishedJul 9
Latest updateApr 16

Description

A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers.

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:HExploitability: 1.0 | Impact: 5.5

Affected Packages3 packages

CVEListV5nodejs/node4.04.*+18
Alpinenodejs< 20.15.1-r0+4
Debiannodejs< 18.20.4+dfsg-1~deb12u1+2

🔴Vulnerability Details

4
OSV
CVE-2024-22020: A security flaw in Node2024-07-09
GHSA
GHSA-ch4x-f5c4-36gv: A security flaw in Node2024-07-09
OSV
CVE-2024-22020: A security flaw in Node2024-07-09
CVEList
CVE-2024-22020: A security flaw in Node2024-07-09

📋Vendor Advisories

5
Red Hat
kernel: memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove2025-04-16
Oracle
Oracle Oracle PeopleSoft Risk Matrix: OpenSearch (Node.js) — CVE-2024-220202025-01-15
Oracle
Oracle Oracle Blockchain Platform Risk Matrix: Blockchain Cloud Service Console (Node.js) — CVE-2024-220202024-10-15
Red Hat
nodejs: Bypass network import restriction via data URL2024-07-09
Debian
CVE-2024-22020: nodejs - A security flaw in Node.js allows a bypass of network import restrictions. By e...2024
CVE-2024-22020 (MEDIUM CVSS 6.5) | A security flaw in Node.js allows a | cvebase.io