Privilege Escalation Vulnerability in Node.js by Joyent
CVE-2024-22017

7.3HIGH

Key Information:

Vendor: Node.js
Status: Node.js
Vendor: CVE Published:; 19 March 2024

What is CVE-2024-22017?

A vulnerability exists in Node.js affecting versions 18.18.0 and higher where the internal io_uring operations of libuv are not correctly influenced by the setuid() call. This flaw permits processes to execute privileged operations even after the intended privilege drop has occurred, representing a significant risk to applications leveraging Node.js for secure operations. Developers and system administrators are advised to review their versions of Node.js and apply necessary patches or mitigations to safeguard against unauthorized access and potential exploitation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Node.js 18.18.0

Node.js 20.4.0

Node.js 21.6.1

References

https://hackerone.com/reports/2170226

http://www.openwall.com/lists/oss-security/2024/03/11/1

https://security.netapp.com/advisory/ntap-20240517-0007/

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 19, 2024
Vulnerability Reserved
Jan 4, 2024

JSON

Node.js