Gentoo update for Node.js
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 20 |
| CVE-ID | CVE-2023-38552 CVE-2023-39331 CVE-2023-39332 CVE-2023-39333 CVE-2023-44487 CVE-2023-45143 CVE-2023-46809 CVE-2024-21890 CVE-2024-21891 CVE-2024-21892 CVE-2024-21896 CVE-2024-22017 CVE-2024-22018 CVE-2024-22019 CVE-2024-22020 CVE-2024-22025 CVE-2024-27982 CVE-2024-27983 CVE-2024-36137 CVE-2024-37372 |
| CWE-ID | CWE-354 CWE-22 CWE-94 CWE-400 CWE-200 CWE-385 CWE-1068 CWE-755 CWE-269 CWE-264 CWE-20 CWE-918 CWE-444 CWE-617 |
| Exploitation vector | Network |
| Public exploit |
Vulnerability #5 is being exploited in the wild. Public exploit code for vulnerability #18 is available. |
| Vulnerable software |
Gentoo Linux Operating systems & Components / Operating system net-libs/nodejs Operating systems & Components / Operating system package or component |
| Vendor | Gentoo |
Security Bulletin
This security bulletin contains information about 20 vulnerabilities.
1) Improper validation of integrity check value
EUVDB-ID: #VU82069
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-38552
CWE-ID:
CWE-354 - Improper Validation of Integrity Check Value
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error in the policy feature, which checks the integrity of a resource against a trusted manifest. An application can intercept the operation and return a forged checksum to node's policy implementation, thus effectively disabling the integrity check.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 22.4.1
Gentoo Linux: All versions
net-libs/nodejs: before 22.4.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:net-libs_nodejs:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202505-11
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Path traversal
EUVDB-ID: #VU82067
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-39331
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to insufficient patch for #VU77594 (CVE-2023-30584). A remote user can send a specially crafted request and read arbitrary files on the system.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 22.4.1
Gentoo Linux: All versions
net-libs/nodejs: before 22.4.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:net-libs_nodejs:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202505-11
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Path traversal
EUVDB-ID: #VU82068
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-39332
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in paths stored in Uint8Array. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 22.4.1
Gentoo Linux: All versions
net-libs/nodejs: before 22.4.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:net-libs_nodejs:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202505-11
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Code Injection
EUVDB-ID: #VU82070
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-39333
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation in an imported WebAssembly module when processing export names. A remote attacker can pass specially crafted export names to the application and execute arbitrary JavaScript code on the system.
Update the affected packages.
net-libs/nodejs to version: 22.4.1
Gentoo Linux: All versions
net-libs/nodejs: before 22.4.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:net-libs_nodejs:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202505-11
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Resource exhaustion
EUVDB-ID: #VU81728
Risk: High
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID: CVE-2023-44487
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improperly control of consumption for internal resources when handling HTTP/2 requests with compressed HEADERS frames. A remote attacker can send a sequence of compressed HEADERS frames followed by RST_STREAM frames and perform a denial of service (DoS) attack, a.k.a. "Rapid Reset".
Note, the vulnerability is being actively exploited in the wild.
Update the affected packages.
net-libs/nodejs to version: 22.4.1
Gentoo Linux: All versions
net-libs/nodejs: before 22.4.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:net-libs_nodejs:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202505-11
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
6) Information disclosure
EUVDB-ID: #VU82066
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-45143
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to software send Cookies in HTTP headers during cross-origin redirects. A remote attacker can gain unauthorized access to sensitive information.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 22.4.1
Gentoo Linux: All versions
net-libs/nodejs: before 22.4.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:net-libs_nodejs:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202505-11
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Covert Timing Channel
EUVDB-ID: #VU86724
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-46809
CWE-ID:
CWE-385 - Covert Timing Channel
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform Marvin attack.
The vulnerability exists due to a covert timing channel in the privateDecrypt() API of the crypto library. A remote attacker can perform a covert timing side-channel during PKCS#1 v1.5 padding error handling and decrypt captured RSA ciphertexts or forge signatures, especially in scenarios involving API endpoints processing Json Web Encryption messages.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 22.4.1
Gentoo Linux: All versions
net-libs/nodejs: before 22.4.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:net-libs_nodejs:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202505-11
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Inconsistency between implementation and documented design
EUVDB-ID: #VU86728
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-21890
CWE-ID:
CWE-1068 - Inconsistency Between Implementation and Documented Design
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper handling of wildcards in --allow-fs-read and --allow-fs-write. A remote attacker can gain access to sensitive information.
Update the affected packages.
net-libs/nodejs to version: 22.4.1
Gentoo Linux: All versions
net-libs/nodejs: before 22.4.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:net-libs_nodejs:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202505-11
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Path traversal
EUVDB-ID: #VU86726
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-21891
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 22.4.1
Gentoo Linux: All versions
net-libs/nodejs: before 22.4.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:net-libs_nodejs:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202505-11
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Improper handling of exceptional conditions
EUVDB-ID: #VU86718
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-21892
CWE-ID:
CWE-755 - Improper Handling of Exceptional Conditions
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the way certain environment variables are handled by Node.js on Linux. A local user can use a specially crafted environment variable to escalate privileges on the system.
Update the affected packages.
net-libs/nodejs to version: 22.4.1
Gentoo Linux: All versions
net-libs/nodejs: before 22.4.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:net-libs_nodejs:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202505-11
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Path traversal
EUVDB-ID: #VU86722
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-21896
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in Buffer.prototype.utf8Write. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 22.4.1
Gentoo Linux: All versions
net-libs/nodejs: before 22.4.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:net-libs_nodejs:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202505-11
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Improper Privilege Management
EUVDB-ID: #VU86723
Risk: Low
CVSSv4.0: 7.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Clear]
CVE-ID: CVE-2024-22017
CWE-ID:
CWE-269 - Improper Privilege Management
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges.
The vulnerability exists due to setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). A local user can escalate privileges on the system.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 22.4.1
Gentoo Linux: All versions
net-libs/nodejs: before 22.4.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:net-libs_nodejs:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202505-11
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU93882
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-22018
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass permissions model.
The vulnerability exists due to application does not properly impose security restrictions when experimental permission model when the --allow-fs-read flag is used. A remote user can retrieve stats from files that they do not have explicit read access to.
Update the affected packages.
net-libs/nodejs to version: 22.4.1
Gentoo Linux: All versions
net-libs/nodejs: before 22.4.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:net-libs_nodejs:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202505-11
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Input validation error
EUVDB-ID: #VU86721
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-22019
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when processing HTTP requests with chunked encoding. A remote attacker can send specially crafted HTTP request to the server and perform a denial of service (DoS) attack.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 22.4.1
Gentoo Linux: All versions
net-libs/nodejs: before 22.4.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:net-libs_nodejs:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202505-11
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU93880
Risk: Medium
CVSSv4.0: 5.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-22020
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input when handling non-network imports in data URLs. A remote user can bypass network import restrictions and execute arbitrary code.
Update the affected packages.
net-libs/nodejs to version: 22.4.1
Gentoo Linux: All versions
net-libs/nodejs: before 22.4.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:net-libs_nodejs:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202505-11
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Input validation error
EUVDB-ID: #VU86733
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-22025
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when handling brotli decoding. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 22.4.1
Gentoo Linux: All versions
net-libs/nodejs: before 22.4.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:net-libs_nodejs:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202505-11
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Inconsistent interpretation of HTTP requests
EUVDB-ID: #VU88176
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-27982
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
MitigationUpdate the affected packages.
net-libs/nodejs to version: 22.4.1
Gentoo Linux: All versions
net-libs/nodejs: before 22.4.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:net-libs_nodejs:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202505-11
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Reachable Assertion
EUVDB-ID: #VU88175
Risk: Medium
CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2024-27983
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when handling HTTP/2 packets. A remote attacker can send a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside and perform a denial of service (DoS) attack.
Update the affected packages.
net-libs/nodejs to version: 22.4.1
Gentoo Linux: All versions
net-libs/nodejs: before 22.4.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:net-libs_nodejs:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202505-11
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
19) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU93881
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-36137
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges within the application.
The vulnerability exists due to application does not properly impose security restrictions in the experimental permission model when the --allow-fs-write flag is used. A remote user can change file ownership and permissions via fs.fchown and fs.fchmod.
Update the affected packages.
net-libs/nodejs to version: 22.4.1
Gentoo Linux: All versions
net-libs/nodejs: before 22.4.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:net-libs_nodejs:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202505-11
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Input validation error
EUVDB-ID: #VU93883
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-37372
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass permissions model.
The vulnerability exists due to insufficient validation of UNC paths with backslashes. A remote user can bypass certain security restrictions.
Update the affected packages.
net-libs/nodejs to version: 22.4.1
Gentoo Linux: All versions
net-libs/nodejs: before 22.4.1
CPE2.3- cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*
- cpe:2.3:a:gentoo:net-libs_nodejs:*:*:*:*:*:gentoo_linux:*:*
https://security.gentoo.org/glsa/202505-11
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
