CVE-2024-22020 - Vulnerability Details

A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction Required

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Nodejs	Nodejs
Redhat	Enterprise Linux

No data.

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
nodejs:20-8100020240808073736.489197e6	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:5814	2024-08-26T00:00:00Z
nodejs:18-8100020240807161023.489197e6	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:6148	2024-09-03T00:00:00Z
Red Hat Enterprise Linux 9
nodejs:20-9040020240807145403.rhel9	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:5815	2024-08-26T00:00:00Z
nodejs:18-9040020240807131341.rhel9	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:6147	2024-09-03T00:00:00Z

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/07/11/6
http://www.openwall.com/lists/oss-security/2024/07/19/3
https://hackerone.com/reports/2092749
https://nvd.nist.gov/vuln/detail/CVE-2024-22020
https://security.netapp.com/advisory/ntap-20241122-0006/
https://www.cve.org/CVERecord?id=CVE-2024-22020

History

Fri, 14 Mar 2025 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-94

Fri, 22 Nov 2024 13:00:00 +0000

Type	Values Removed	Values Added
References		https://security.netapp.com/advisory/ntap-20241122-0006/

Fri, 25 Oct 2024 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-284

Fri, 25 Oct 2024 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nodejs Nodejs nodejs
CPEs		cpe:2.3:a:nodejs:nodejs::::::::
Vendors & Products		Nodejs Nodejs nodejs
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 26 Aug 2024 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2024-07-09T01:07:28.098Z

Updated: 2025-04-30T22:25:20.702Z

Reserved: 2024-01-04T01:04:06.574Z

Link: CVE-2024-22020

Vulnrichment

Updated: 2024-11-22T12:04:47.763Z

NVD

Status : Awaiting Analysis

Published: 2024-07-09T02:15:09.973

Modified: 2025-03-14T19:15:44.700

Link: CVE-2024-22020

Redhat

Severity : Moderate

Publid Date: 2024-07-09T00:00:00Z

Links: CVE-2024-22020 - Bugzilla

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-22020", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2024-01-04T01:04:06.574Z", "datePublished": "2024-07-09T01:07:28.098Z", "dateUpdated": "2025-04-30T22:25:20.702Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A security flaw in Node.js allows a bypass of network import restrictions.\nBy embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.\nVerified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.\nExploiting this flaw can violate network import security, posing a risk to developers and servers."}], "affected": [{"product": "Node", "vendor": "NodeJS", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "4.0", "status": "affected", "lessThan": "4.*"}, {"versionType": "semver", "version": "5.0", "status": "affected", "lessThan": "5.*"}, {"versionType": "semver", "version": "6.0", "status": "affected", "lessThan": "6.*"}, {"versionType": "semver", "version": "7.0", "status": "affected", "lessThan": "7.*"}, {"versionType": "semver", "version": "8.0", "status": "affected", "lessThan": "8.*"}, {"versionType": "semver", "version": "9.0", "status": "affected", "lessThan": "9.*"}, {"versionType": "semver", "version": "10.0", "status": "affected", "lessThan": "10.*"}, {"versionType": "semver", "version": "11.0", "status": "affected", "lessThan": "11.*"}, {"versionType": "semver", "version": "12.0", "status": "affected", "lessThan": "12.*"}, {"versionType": "semver", "version": "13.0", "status": "affected", "lessThan": "13.*"}, {"versionType": "semver", "version": "14.0", "status": "affected", "lessThan": "14.*"}, {"versionType": "semver", "version": "15.0", "status": "affected", "lessThan": "15.*"}, {"versionType": "semver", "version": "16.0", "status": "affected", "lessThan": "16.*"}, {"versionType": "semver", "version": "17.0", "status": "affected", "lessThan": "17.*"}, {"versionType": "semver", "version": "18.0", "status": "affected", "lessThan": "18.20.4"}, {"versionType": "semver", "version": "19.0", "status": "affected", "lessThan": "19.*"}, {"versionType": "semver", "version": "20.0", "status": "affected", "lessThan": "20.15.1"}, {"versionType": "semver", "version": "21.0", "status": "affected", "lessThan": "21.*"}, {"versionType": "semver", "version": "22.0", "status": "affected", "lessThan": "22.4.1"}]}], "references": [{"url": "https://hackerone.com/reports/2092749"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/11/6"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/19/3"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2025-04-30T22:25:20.702Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "affected": [{"vendor": "nodejs", "product": "nodejs", "cpes": ["cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "21.6.1", "status": "affected"}, {"version": "20.11.0", "status": "affected"}, {"version": "18.19.0", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-13T03:55:30.015268Z", "id": "CVE-2024-22020", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-14T18:21:57.412Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/2092749", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/11/6", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/19/3", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20241122-0006/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-11-22T12:04:47.763Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/2092749", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/11/6", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/19/3", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20241122-0006/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-11-22T12:04:47.763Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22020", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-13T03:55:30.015268Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:*"], "vendor": "nodejs", "product": "nodejs", "versions": [{"status": "affected", "version": "21.6.1"}, {"status": "affected", "version": "20.11.0"}, {"status": "affected", "version": "18.19.0"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-09T14:15:40.771Z"}}], "cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H"}}], "affected": [{"vendor": "NodeJS", "product": "Node", "versions": [{"status": "affected", "version": "4.0", "lessThan": "4.*", "versionType": "semver"}, {"status": "affected", "version": "5.0", "lessThan": "5.*", "versionType": "semver"}, {"status": "affected", "version": "6.0", "lessThan": "6.*", "versionType": "semver"}, {"status": "affected", "version": "7.0", "lessThan": "7.*", "versionType": "semver"}, {"status": "affected", "version": "8.0", "lessThan": "8.*", "versionType": "semver"}, {"status": "affected", "version": "9.0", "lessThan": "9.*", "versionType": "semver"}, {"status": "affected", "version": "10.0", "lessThan": "10.*", "versionType": "semver"}, {"status": "affected", "version": "11.0", "lessThan": "11.*", "versionType": "semver"}, {"status": "affected", "version": "12.0", "lessThan": "12.*", "versionType": "semver"}, {"status": "affected", "version": "13.0", "lessThan": "13.*", "versionType": "semver"}, {"status": "affected", "version": "14.0", "lessThan": "14.*", "versionType": "semver"}, {"status": "affected", "version": "15.0", "lessThan": "15.*", "versionType": "semver"}, {"status": "affected", "version": "16.0", "lessThan": "16.*", "versionType": "semver"}, {"status": "affected", "version": "17.0", "lessThan": "17.*", "versionType": "semver"}, {"status": "affected", "version": "18.0", "lessThan": "18.20.4", "versionType": "semver"}, {"status": "affected", "version": "19.0", "lessThan": "19.*", "versionType": "semver"}, {"status": "affected", "version": "20.0", "lessThan": "20.15.1", "versionType": "semver"}, {"status": "affected", "version": "21.0", "lessThan": "21.*", "versionType": "semver"}, {"status": "affected", "version": "22.0", "lessThan": "22.4.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://hackerone.com/reports/2092749"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/11/6"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/19/3"}], "descriptions": [{"lang": "en", "value": "A security flaw in Node.js allows a bypass of network import restrictions.\nBy embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.\nVerified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.\nExploiting this flaw can violate network import security, posing a risk to developers and servers."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2025-04-30T22:25:20.702Z"}}}, "cveMetadata": {"cveId": "CVE-2024-22020", "state": "PUBLISHED", "dateUpdated": "2025-04-30T22:25:20.702Z", "dateReserved": "2024-01-04T01:04:06.574Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2024-07-09T01:07:28.098Z", "assignerShortName": "hackerone"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw in Node.js allows a bypass of network import restrictions.\nBy embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.\nVerified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.\nExploiting this flaw can violate network import security, posing a risk to developers and servers."}, {"lang": "es", "value": "Un fallo de seguridad en Node.js permite eludir las restricciones de importaci\u00f3n de la red. Al incorporar importaciones fuera de la red en las URL de datos, un atacante puede ejecutar c\u00f3digo arbitrario, comprometiendo la seguridad del sistema. Verificada en varias plataformas, la vulnerabilidad se mitiga al prohibir las URL de datos en las importaciones de red. La explotaci\u00f3n de este fallo puede violar la seguridad de importaci\u00f3n de la red, lo que representa un riesgo para los desarrolladores y servidores."}], "id": "CVE-2024-22020", "lastModified": "2025-03-14T19:15:44.700", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.0, "impactScore": 5.5, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2024-07-09T02:15:09.973", "references": [{"source": "support@hackerone.com", "url": "http://www.openwall.com/lists/oss-security/2024/07/11/6"}, {"source": "support@hackerone.com", "url": "http://www.openwall.com/lists/oss-security/2024/07/19/3"}, {"source": "support@hackerone.com", "url": "https://hackerone.com/reports/2092749"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/07/11/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/07/19/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://hackerone.com/reports/2092749"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20241122-0006/"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:5814", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:20-8100020240808073736.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-26T00:00:00Z"}, {"advisory": "RHSA-2024:6148", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:18-8100020240807161023.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-03T00:00:00Z"}, {"advisory": "RHSA-2024:5815", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs:20-9040020240807145403.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-08-26T00:00:00Z"}, {"advisory": "RHSA-2024:6147", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs:18-9040020240807131341.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-09-03T00:00:00Z"}], "bugzilla": {"description": "nodejs: Bypass network import restriction via data URL", "id": "2296417", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2296417"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H", "status": "verified"}, "details": ["A security flaw in Node.js allows a bypass of network import restrictions.\nBy embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.\nVerified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.\nExploiting this flaw can violate network import security, posing a risk to developers and servers.", "A flaw was found in the Node.js package. By embedding non-network imports in data URLs, this flaw allows an attacker to execute arbitrary code, compromising system security."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-22020", "public_date": "2024-07-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-22020\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-22020\nhttps://hackerone.com/reports/2092749"], "statement": "This vulnerability is categorized as moderate severity rather than high due to its specific conditions for exploitation and impact scope. While the flaw permits bypassing network import restrictions via data URLs to execute arbitrary code, its exploitation is contingent on the attacker\u2019s ability to inject and execute code within a controlled environment. The impact is constrained to scenarios where the vulnerable application processes data URLs and lacks robust validation mechanisms. Additionally, this issue requires the attacker to exploit specific code paths and permissions, which limits its widespread applicability.", "threat_severity": "Moderate"}

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction Required

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object