24 lines
1.1 KiB
Markdown
24 lines
1.1 KiB
Markdown
|
---
|
||
|
|
title: IMPORTANT! Update Node.JS to 18.20.4, 20.15.1, 22.4.1 or newer!
|
||
|
|
date: 2024-07-08 21:04:03
|
||
|
|
tags:
|
||
|
|
- cybersecurity
|
||
|
|
- node.js
|
||
|
|
category: Notices
|
||
|
|
thumbnail: /images/covers/IMPORTANT-Update-Node-JS-to-18-20-4-20-15-1-22-4-1-or-newer.png
|
||
|
|
---
|
||
|
|
|
||
|
|
**IMPORTANT! Update Node.JS to 18.20.4, 20.15.1, 22.4.1 or newer!**
|
||
|
|
|
||
|
|
Older versions of Node.JS had a [CVE-2024-22020 vulnerability](https://nodejs.org/en/blog/vulnerability/july-2024-security-releases#bypass-network-import-restriction-via-data-url-cve-2024-22020---medium), which involves embedding network imports in `data:` URLs to execute arbitrary code.
|
||
|
|
|
||
|
|
The original vulnerability description (from Node.JS blog):
|
||
|
|
|
||
|
|
_A security flaw in Node.js allows a bypass of network import restrictions._
|
||
|
|
|
||
|
|
_By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security._
|
||
|
|
|
||
|
|
_Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports._
|
||
|
|
|
||
|
|
_Exploiting this flaw can violate network import security, posing a risk to developers and servers._
|