Security in software development is one of the top priorities, especially in critical projects like Node.js, which is widely used in server-side and network applications. In recent years, several dangerous vulnerabilities have been discovered in Node.js, and developers and system administrators need to be aware of them and take the necessary steps to prevent potential attacks.
In the following, we will review four important attacks and vulnerabilities in Node.js up until 2024:
---
1. CVE-2024-27980: Arbitrary Command Execution on Windows Systems
This critical vulnerability allows attackers to execute arbitrary commands through the `child_process.spawn` and `child_process.spawnSync` functions on Windows systems. Even if security measures like disabling the `shell` option are in place, the attacker can still bypass this mechanism.
How it works:
This vulnerability is made possible through the manipulation of inputs sent to the `spawn` and `spawnSync` functions. These functions in Windows are used to run operating system commands like `cmd`. If the inputs are not properly validated, an attacker can exploit them to execute malicious code.
Code example:
Suppose you are using `child_process.spawn` to execute a command:
const { spawn } = require('child_process');
const process = spawn('cmd', ['/c', 'dir']);
An attacker can send inputs that execute malicious code instead of the directory listing command:
const process = spawn('cmd', ['/c', 'malicious_code']);
Mechanism:
This issue arises from how Node.js handles operating system command inputs on Windows. Even if `shell` is disabled, the attacker can still execute malicious code through the commands sent.
Result:
This vulnerability allows attackers to execute malicious code through the Windows operating system without direct access to the server. Such attacks can lead to the installation of backdoors or the execution of other dangerous codes.
---
2. CVE-2024-22020: Bypassing Network Import Restrictions Using Data URLs
This vulnerability allows attackers to bypass network import restrictions using Data URLs, enabling the execution of arbitrary code on the target system.
How it works:
Under normal conditions, a Node.js application may use the `import()` function to load external modules:
import('https://example.com/module.js');
However, an attacker can use a Data URL to embed malicious JavaScript code directly:
import('console.log("malicious code")');
In this example, the JavaScript code is embedded directly into the URL and executed by the system.
Result:
This attack enables the execution of malicious code without relying on external resources, bypassing the security restrictions on network imports, and compromising server security.
---
### 3. **CVE-2024-21896: Path Traversal Attack through Buffer Manipulation**
This severe vulnerability allows attackers to perform **Path Traversal** attacks by manipulating the internal `Buffer` object. Attackers can gain access to files and directories they should not have access to.
How it works:
In Node.js, `Buffer` is used to store and manage binary data. An attacker can override the `Buffer.prototype.utf8Write` method, causing it to return sensitive file paths instead of valid ones.
Code example:
Suppose an application converts a file path to a `Buffer`:
const fs = require('fs');
const path = require('path');
const filePath = path.resolve('/user/data');
const fileBuffer = Buffer.from(filePath);
```
An attacker can override the `utf8Write` method:
Buffer.prototype.utf8Write = function () {
return '/etc/passwd';
};
Result:
The attacker can manipulate file paths to access sensitive files, gaining access to critical information or system files. This attack is particularly dangerous in systems using Node.js’s experimental permissions model.
---
4. CVE-2024-22017: Privilege Retention in `setuid()` due to io_uring Usage
This vulnerability occurs when `setuid()` is used to change process privileges, but `io_uring` does not properly apply the changes and continues operating with root privileges.
How it works:
On Linux, `setuid()` is used to lower the privileges of a process to that of a regular user:
process.setuid(non_root_user_id);
However, due to an issue with `io_uring`, this change is not applied correctly, and the process continues to operate with root privileges.
Code example:
A process using `io_uring` for operations may still perform root-privileged operations even after the privilege change:
process.setuid(non_root_user_id);
io_uring.submit(); // Operations are performed with root privileges
Result:
An attacker can exploit this flaw to perform operations requiring root access, even after privileges have been lowered. This increases the risk of system compromise.
---
Conclusion:
The discovered vulnerabilities in Node.js clearly demonstrate the importance of regular updates and adherence to security best practices in maintaining the security of systems based on this platform. Developers should always use up-to-date Node.js versions and carefully validate inputs sent to various functions to prevent potential attacks.
