{"id":"UBUNTU-CVE-2024-22017","details":"setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.","modified":"2025-07-14T06:35:42.273998Z","published":"2024-03-19T05:15:00Z","withdrawn":"2025-07-18T16:56:23Z","upstream":["CVE-2024-22017"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-22017"},{"type":"REPORT","url":"https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#setuid-does-not-drop-all-privileges-due-to-io_uring-cve-2024-22017---high"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2024-22017"},{"type":"REPORT","url":"https://www.openwall.com/lists/oss-security/2024/03/11/1"},{"type":"REPORT","url":"https://github.com/nodejs/node/commit/42e659cb9d9425f76dbe9b57a437005508c0933d"},{"type":"REPORT","url":"https://github.com/nodejs/node/commit/6d14352c51974f0ba1a11e9e4889e61dae9da1f4"}],"affected":[{"package":{"name":"nodejs","ecosystem":"Ubuntu:25.04","purl":"pkg:deb/ubuntu/nodejs@20.18.1+dfsg-1ubuntu2?arch=source&distro=plucky"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"20.18.1+dfsg-1ubuntu2"}]}],"versions":["20.16.0+dfsg-1ubuntu1","20.17.0+dfsg-2ubuntu1","20.18.0+dfsg-2","20.18.1+dfsg-1ubuntu1"],"ecosystem_specific":{"priority_reason":"setting priority based on oss-security report","availability":"No subscription required","binaries":[{"binary_name":"libnode-dev","binary_version":"20.18.1+dfsg-1ubuntu2"},{"binary_name":"libnode115","binary_version":"20.18.1+dfsg-1ubuntu2"},{"binary_name":"libnode115-dbgsym","binary_version":"20.18.1+dfsg-1ubuntu2"},{"binary_name":"nodejs","binary_version":"20.18.1+dfsg-1ubuntu2"},{"binary_name":"nodejs-dbgsym","binary_version":"20.18.1+dfsg-1ubuntu2"},{"binary_name":"nodejs-doc","binary_version":"20.18.1+dfsg-1ubuntu2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-22017.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L"},{"type":"Ubuntu","score":"high"}]}