CVE-2024-21892

NameCVE-2024-21892
DescriptionOn Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1064055

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nodejs (PTS)jessie0.10.29~dfsg-2vulnerable
stretch4.8.2~dfsg-1vulnerable
buster (security), buster, buster (lts)10.24.0~dfsg-1~deb10u4fixed
bullseye12.22.12~dfsg-1~deb11u4fixed
bullseye (security)12.22.12~dfsg-1~deb11u5fixed
bookworm18.19.0+dfsg-6~deb12u2vulnerable
bookworm (security)18.19.0+dfsg-6~deb12u1vulnerable
trixie20.18.0+dfsg-2fixed
sid20.18.1+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nodejssourcejessie(unfixed)end-of-life
nodejssourcestretch(unfixed)end-of-life
nodejssourcebuster(not affected)
nodejssourcebullseye(not affected)
nodejssource(unstable)18.19.1+dfsg-11064055

Notes

[bullseye] - nodejs <not-affected> (Vulnerable code not present)
[buster] - nodejs <not-affected> (Vulnerable code not present)
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#code-injection-and-privilege-escalation-through-linux-capabilities-cve-2024-21892---high
https://github.com/nodejs/node/commit/e6b4c105e0795fba8afb3f8e910c56ba9e60f4b5 (v18.x)
https://github.com/nodejs/node/commit/10ecf400679e04eddab940721cad3f6c1d603b61 (main)
Search for package or bug name: Reporting problems