INFSA-2024:6147: nodejs:18 security update
Information about definition
Identificator: INFSA-2024:6147
Type: security
Release date: 2024-09-06 18:22:44 UTC
Information about package
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Vulnerabilities description
- CVE-2024-22020
A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers.
- CVE-2024-28863
A flaw was found in ISAACS's node-tar, where it is vulnerable to a denial of service, caused by the lack of folder count validation. The vulnerability exists due to the application not properly controlling the consumption of internal resources while parsing a tar file. By sending a specially crafted request, a remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
Severity level
CVE |
Score CVSS 2.0 |
Score CVSS 3.x |
Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2024-22020
|
no information | 6.5 | no information |
|
NIST — CVE-2024-28863
|
no information | 6.5 | no information |
Updated packages