This morning, the July 2024 security bulletin for Node.js was published. This security release addresses two significant vulnerabilities that could be exploited to execute arbitrary code.
Bypass of Incomplete Fix for BatBadBut Vulnerability
One of the primary vulnerabilities, identified as CVE-2024-36138 (high), stems from an incomplete fix for a previous flaw known as BatBadBut – first made known to the public in April 2024. This vulnerability affects the child_process.spawn and child_process.spawnSync methods in Node.js on Windows. These methods are used to create child processes, enabling the application to execute commands or scripts.
The vulnerability arises from how Node.js handles batch files (like .bat and .cmd files) on Windows. If an attacker can influence the command-line arguments passed to child_process.spawn or child_process.spawnSync, they can inject malicious commands. This is especially alarming because it can happen even when the shell option, which is supposed to prevent such behavior, is not enabled.
Potential abuse
Imagine a scenario where an application uses user input to form commands. An attacker could sneak in harmful commands if that input isn’t properly sanitized, resulting in arbitrary code execution. This means they could take control of the system, modify files, create new user accounts, or even install a backdoor for persistent access. The impact is particularly severe if an application runs with elevated privileges, as it could lead to system-wide compromises.
Bypass Network Import Restriction via Data URL
The second vulnerability, CVE-2024-22020 (medium), involves bypassing network import restrictions through data URLs. Network import restrictions are a security measure intended to prevent unauthorized code execution from remote sources. However, data URLs, which allow embedding of data directly within a URL, present a loophole.
An attacker can bypass these restrictions by embedding scripts in data URLs. When such a URL is imported, the embedded script executes as if it were a regular network import, thereby sidestepping the intended security barriers.
Potential abuse
This flaw is a potential goldmine for attackers. They could craft a data URL with malicious code and trick a developer into importing it. Once imported, the malicious code executes, leading to arbitrary code execution. This vulnerability is cross-platform, affecting various systems running Node.js. The implications are broad—servers can be compromised, and security policies relying on network import restrictions can be effectively nullified.
In addition to the critical vulnerabilities discussed, today’s security bulletin addresses several other important issues. These include low-severity vulnerabilities such as fs.fchown/fchmod bypassing the permission model (CVE-2024-36137), fs.lstat bypassing the permission model (CVE-2024-22018), and improper processing of UNC paths in the permission model (CVE-2024-37372).
The bulletin also announces updates to Node.js versions v18.20.4, v20.15.1, and v22.4.1, now including undici v6.19.2 for enhanced security.
