Overview
Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. It offers an event-driven, non-blocking I/O model that makes it lightweight and efficient, widely used in web applications and server-side development.
An Code Injection vulnerability has been identified in Node.js. The issue stems from a security flaw that allows a bypass of network import restrictions. This weakness allows attackers to execute arbitrary code, compromising system security.
This vulnerability affects specific versions of the package and can result in unauthorized access and system compromise. Details on affected versions and reproduction steps are provided below.
Details
Module Info
Affected packages: Node
Affected versions: 4.0 < 18.20.4, 20 < 20.15.1, 22 < 22.4.1
GitHub repository: https://github.com/nodejs/node
Published packages: https://github.com/nodejs/node/releases
Package manager: npm
Fixed in: Node.js NES version 16
Vulnerability Info
The issue stems from improper control of generation of code ('Code Injection').
For instance, in a network import context, if data URLs are embedded, the system allows execution of arbitrary code. This behavior can be exploited by attackers to compromise system security.
This vulnerability is a result of flawed logic, and may allow attackers to execute arbitrary code.
- https://www.cve.org/CVERecord?id=CVE-2024-22020
- https://owasp.org/www-community/attacks/Code_Injection
Credits
- dittyroma
Mitigation
This vulnerability is not fixed upstream due to the release line being EOL. Herodevs has issued patched builds under the NES (Never Ending Support) line.
- Update to a patched LTS version of Node.js
- Leverage a commercial support partner like HeroDevs for post-EOL security.
Refer to the NES documentation for upgrade instructions.