CVE-2024-21892 HIGH

CVE-2024-21892

Vendor Nodejs
Product Node
Published February 20, 2024
Last update April 30, 2025

CVSS base score

7.5/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.

Key dates

02Disclosure timeline

February 20, 2024 CVE published
April 30, 2025 Record updated