Node.js Linux Env Var Injection via Misapplied CAP Exception: CVE-2024-21892 February 2024

Node.js Linux Env Var Injection via Misapplied CAP Exception
CVE-2024-21892 Published on February 20, 2024

On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.

Weakness Type

Improper Privilege Management

The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Products Associated with CVE-2024-21892

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-21892 are published in nodejs node.js:

Affected Versions

Version 4.0 and below 4.* is affected.

Version 5.0 and below 5.* is affected.

Version 6.0 and below 6.* is affected.

Version 7.0 and below 7.* is affected.

Version 8.0 and below 8.* is affected.

Version 9.0 and below 9.* is affected.

Version 10.0 and below 10.* is affected.

Version 11.0 and below 11.* is affected.

Version 12.0 and below 12.* is affected.

Version 13.0 and below 13.* is affected.

Version 14.0 and below 14.* is affected.

Version 15.0 and below 15.* is affected.

Version 16.0 and below 16.* is affected.

Version 17.0 and below 17.* is affected.

Version 18.0 and below 18.19.1 is affected.

Version 19.0 and below 19.* is affected.

Version 20.0 and below 20.11.1 is affected.

Version 21.0 and below 21.6.2 is affected.

Version 18.0.0, <= 18.19.0 is affected.

Version 20.0.0, <= 20.11.0 is affected.

Version 21.0.0, <= 21.6.0 is affected.

Exploit Probability

EPSS

0.25%

Percentile

47.80%