ALPINE-CVE-2024-22020

Advisory lineage Upstream: 1 Downstream: 0

Upstream

CVE-2024-22020

Published: 09 Jul 2024, 02:15

Last modified:03 Dec 2025, 22:55

Vulnerability Summary

Overall Risk (default)

medium

26/100

CVSS Score

6.5 MEDIUM

3.0 (osv_alpine)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

09 Jul 2024, 02:15

Published

Vulnerability first disclosed

03 Dec 2025, 22:55

Last Modified

Vulnerability information updated

Description

A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers.

CVSS Metrics

v3.0•MEDIUM•Score: 6.5CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H

Affected Systems

alpine•nodejs
< 20.15.1-r0 | < 20.15.1-r0 | < 20.15.1-r0 | < 20.15.1-r0 | < 20.15.1-r0

References (1)

https://security.alpinelinux.org/vuln/CVE-2024-22020