vulnerability

Amazon Linux 2023: CVE-2024-22017: Important priority package update for nodejs20

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:L/AC:M/Au:S/C:C/I:C/A:C)	Feb 19, 2024	Feb 17, 2025	Jul 9, 2025

Severity

CVSS

(AV:L/AC:M/Au:S/C:C/I:C/A:C)

Published

Feb 19, 2024

Added

Feb 17, 2025

Modified

Jul 9, 2025

Description

setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid().
This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid().
This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.
A flaw was found in Node.js, where the setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This issue allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid().

Solutions

amazon-linux-2023-upgrade-nodejs20amazon-linux-2023-upgrade-nodejs20-debuginfoamazon-linux-2023-upgrade-nodejs20-debugsourceamazon-linux-2023-upgrade-nodejs20-develamazon-linux-2023-upgrade-nodejs20-docsamazon-linux-2023-upgrade-nodejs20-full-i18namazon-linux-2023-upgrade-nodejs20-libsamazon-linux-2023-upgrade-nodejs20-libs-debuginfoamazon-linux-2023-upgrade-nodejs20-npmamazon-linux-2023-upgrade-v8-11-3-devel

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today