vulnerability
Ubuntu: (CVE-2024-22017): nodejs vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:L/AC:L/Au:M/C:P/I:C/A:P) | Mar 19, 2024 | Jun 26, 2025 | Aug 18, 2025 |
Severity
6
CVSS
(AV:L/AC:L/Au:M/C:P/I:C/A:P)
Published
Mar 19, 2024
Added
Jun 26, 2025
Modified
Aug 18, 2025
Description
setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid().
This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid().
This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.
Solution
no-fix-ubuntu-package
References
- CVE-2024-22017
- https://attackerkb.com/topics/CVE-2024-22017
- CWE-250
- URL-https://github.com/nodejs/node/commit/42e659cb9d9425f76dbe9b57a437005508c0933d
- URL-https://github.com/nodejs/node/commit/6d14352c51974f0ba1a11e9e4889e61dae9da1f4
- URL-https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#setuid-does-not-drop-all-privileges-due-to-io_uring-cve-2024-22017---high
- URL-https://www.cve.org/CVERecord?id=CVE-2024-22017
- URL-https://www.openwall.com/lists/oss-security/2024/03/11/1
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.