CVE-2024-22017 HIGH

CVE-2024-22017

Vendor Nodejs
Product Node
Published March 19, 2024
Last update April 30, 2025

CVSS base score

7.3/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L

What the vulnerability does

01Description

setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.

Key dates

02Disclosure timeline

March 19, 2024 CVE published
April 30, 2025 Record updated