CVE-2024-22020 MEDIUM

CVE-2024-22020

Vendor Nodejs
Product Node
Published July 9, 2024
Last update April 30, 2025

CVSS base score

6.5/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H

What the vulnerability does

01Description

A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers.

Key dates

02Disclosure timeline

July 9, 2024 CVE published
April 30, 2025 Record updated