Beware! Node.js vulnerability allows code injection with elevated privileges

CVECVE-2024-21892
CVSScvssV3_0: 7.5
SourceCVE-2024-21892

Node.js is a popular JavaScript runtime environment used for building server-side and networking applications. Unfortunately, a vulnerability has been discovered that could allow attackers to inject malicious code with elevated privileges on systems using Node.js.

The issue stems from how Node.js handles certain environment variables and capabilities. When running with elevated privileges, it should ignore variables set by unprivileged users. However, due to a bug, it incorrectly applies this exception even when other capabilities are enabled.

This means an attacker could craft an environment variable containing malicious code and have it executed with the same high privileges as the Node.js process. They could then gain unauthorized access or control of the affected system.

If you use Node.js on your servers, be sure to update to the latest version as soon as possible. Applying the patch will prevent exploitation of this vulnerability. It’s also recommended to review your server configurations and restrict which accounts can modify environment variables or capabilities. Taking these steps will help protect you from the risks of code injection attacks.

References