Vulnerability DatabaseCVE-2024-21892

CVE-2024-21892:
npm vulnerability analysis and mitigation

Overview

CVE-2024-21892 is a high-severity vulnerability discovered in Node.js affecting versions prior to 18.19.1, 20.11.1, and 21.6.2. The vulnerability was disclosed on February 14, 2024, and affects Node.js implementations on Linux systems. The issue stems from Node.js incorrectly handling environment variables when running with elevated privileges, specifically related to the CAPNETBIND_SERVICE capability exception (NodeJS Blog).

Technical details

The vulnerability occurs when Node.js is running on Linux with elevated privileges. While Node.js is designed to ignore certain environment variables that may have been set by unprivileged users when running with elevated privileges, it makes an exception for CAPNETBIND_SERVICE. Due to a bug in the implementation, this exception is incorrectly applied even when certain other capabilities have been set. The vulnerability has received a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Impact

When successfully exploited, this vulnerability allows unprivileged users to inject code that inherits the process's elevated privileges. This can lead to privilege escalation, potentially allowing attackers to execute arbitrary code with elevated permissions. The vulnerability affects all users in all active release lines: 18.x, 20.x, and 21.x (OSS Security).

Mitigation and workarounds

The vulnerability has been patched in Node.js versions 18.19.1, 20.11.1, and 21.6.2. Users are strongly advised to upgrade to these versions or later to address the security issue. The fixes were released as part of the February 2024 security updates (NodeJS Blog).

Community reactions

The vulnerability has received significant attention from the security community and has been classified as high severity by multiple organizations. NetApp has issued an advisory (NTAP-20240322-0003) acknowledging the vulnerability's impact on their products and Red Hat has released security updates to address the issue in their Enterprise Linux distributions (NetApp Advisory, Red Hat Advisory).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer?

Request vulnerability assessment

7.8

Score

Published February 20, 2024

Severity HIGH

CNA Score 7.5

Affected Technologies

npm
Node.js

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 44.6

Exploitation Probability (EPSS) 0.2

Affected packages and libraries

openjdk21
nodejs:18::nodejs

Sources

AlmaLinux Security Advisory
- AlmaLinux 8 Severity HIGHHas FixAdded at: Apr 04, 2024
- AlmaLinux 9 Severity HIGHHas FixAdded at: Apr 11, 2024
Alpine Security Tracker
- Alpine 3.17, 3.18, 3.19, edge Severity HIGHHas FixAdded at: Apr 30, 2024
- Alpine 3.20 Severity HIGHHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity HIGHHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity HIGHHas FixAdded at: Jun 01, 2025
CBL-Mariner
- CBL-Mariner 2.0 Severity HIGHHas FixAdded at: May 08, 2024
- CBL-Mariner 3.0 Severity HIGHHas FixAdded at: May 04, 2025
Debian Security Tracker
- Debian 12 Severity HIGHNo FixAdded at: Feb 18, 2024
- Debian 13 Severity HIGHHas FixAdded at: Feb 18, 2024
Gentoo Advisory Database
- Gentoo Severity HIGHHas FixAdded at: May 15, 2025
Photon Security Advisory
- Photon 4.0 Severity HIGHHas FixAdded at: Apr 04, 2024
- Photon 5.0 Severity HIGHHas FixAdded at: Feb 28, 2024
Red Hat Errata
- Red Hat 8 Severity HIGHHas FixAdded at: Feb 18, 2024
- Red Hat 9 Severity HIGHHas FixAdded at: Feb 18, 2024
NVD
- Linux Severity HIGHHas FixAdded at: Feb 19, 2024
- Windows Severity HIGHHas FixAdded at: Feb 19, 2024