The Node.js Project has released a security update to address multiple vulnerabilities, including a high-severity flaw that could allow attackers to bypass security measures and execute arbitrary code.
The most severe vulnerability, CVE-2024-36138, is a bypass of an incomplete fix for a previous issue, CVE-2024-27980, dubbed the BatBadBut vulnerability. This flaw could allow attackers to inject and execute arbitrary commands on Windows systems, even when shell options are disabled. This vulnerability affects all active Node.js release lines (v18.x, v20.x, and v22.x) and poses a significant risk to Windows users.
In addition to the high-severity CVE-2024-36138 vulnerability, the update addresses several medium and low-severity vulnerabilities as below.
- CVE-2024-22020 (Medium): Allows attackers to bypass network import restrictions by embedding non-network imports in data URLs, potentially leading to arbitrary code execution.
- CVE-2024-36137 (Low): Allows attackers to bypass the experimental permission model in Node.js 20 and 22, using “read-only” file descriptors to change file ownership and permissions.
- CVE-2024-22018 (Low): Another bypass of the experimental permission model, allowing access to file stats without explicit read access.
- CVE-2024-37372 (Low): Affects the Permission Model’s processing of UNC paths on Windows, leading to potential vulnerabilities.
These vulnerabilities affect all users of the specified Node.js versions, particularly those using Windows systems and the experimental permission model.
The Node.js Project strongly recommends that all users upgrade to the latest versions immediately. It is crucial for users to take immediate action to protect their systems and data.
