CVE-2024-22020
Publication date 9 July 2024
Last updated 3 June 2025
Ubuntu priority
A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| nodejs | 25.04 plucky |
Not affected
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2024-22020
- https://nodejs.org/en/blog/vulnerability/july-2024-security-releases#bypass-network-import-restriction-via-data-url-cve-2024-22020---medium
- https://hackerone.com/reports/2092749
- https://github.com/nodejs/node/commit/24648b5769dbfa71896fa32a402ddcb8ee348a8d
- https://github.com/nodejs/node/commit/4fe0f826a80365ce2512b8193ceaa9466c288aa5A
- https://github.com/nodejs/node/commit/0881c1f01ac90006315cae5b9c38cfbf44d37e59
- https://github.com/nodejs/node/commit/4324e11935659a2ed2d17f84bc87b9c9198b4fdf