Red Hat Security Advisory: nodejs:20 security update
A security update for Node.js 20 on Red Hat Enterprise Linux addresses multiple vulnerabilities including denial of service in node-tar and permission model bypasses in Node.js filesystem functions. The update fixes CVE-2024-28863, CVE-2024-22020, CVE-2024-22018, and CVE-2024-36137. These issues could allow denial of service or unauthorized permission bypass. Red Hat rates the overall impact as moderate and has released updated packages for affected Red Hat Enterprise Linux 8 variants.
AI Analysis
Technical Summary
This advisory covers four security vulnerabilities in Node.js 20 as packaged by Red Hat for RHEL 8. CVE-2024-28863 is a denial of service vulnerability in node-tar caused by lack of folder depth validation when parsing tar files. CVE-2024-22020 allows bypassing network import restrictions via data URLs. CVE-2024-22018 and CVE-2024-36137 involve bypasses of the permission model in Node.js filesystem functions fs.lstat and fs.fchown/fchmod respectively. Red Hat has issued a security update (RHSA-2024:5814) that addresses these issues by updating the nodejs:20 module. The advisory rates the severity as moderate and provides updated packages for multiple RHEL 8 architectures and extended life cycle versions.
Potential Impact
The vulnerabilities could lead to denial of service conditions or unauthorized bypass of filesystem permission checks in Node.js applications running on affected Red Hat Enterprise Linux 8 systems. This may allow attackers to circumvent security restrictions or cause application crashes. The overall security impact is rated moderate by Red Hat Product Security.
Mitigation Recommendations
Red Hat has released an official security update for the nodejs:20 module in Red Hat Enterprise Linux 8 that addresses these vulnerabilities. Users should apply the update as described in the Red Hat advisory RHSA-2024:5814 and the referenced article https://access.redhat.com/articles/11258 to remediate the issues. No additional mitigation steps are indicated beyond applying the official update.
Red Hat Security Advisory: nodejs:20 security update
Description
A security update for Node.js 20 on Red Hat Enterprise Linux addresses multiple vulnerabilities including denial of service in node-tar and permission model bypasses in Node.js filesystem functions. The update fixes CVE-2024-28863, CVE-2024-22020, CVE-2024-22018, and CVE-2024-36137. These issues could allow denial of service or unauthorized permission bypass. Red Hat rates the overall impact as moderate and has released updated packages for affected Red Hat Enterprise Linux 8 variants.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This advisory covers four security vulnerabilities in Node.js 20 as packaged by Red Hat for RHEL 8. CVE-2024-28863 is a denial of service vulnerability in node-tar caused by lack of folder depth validation when parsing tar files. CVE-2024-22020 allows bypassing network import restrictions via data URLs. CVE-2024-22018 and CVE-2024-36137 involve bypasses of the permission model in Node.js filesystem functions fs.lstat and fs.fchown/fchmod respectively. Red Hat has issued a security update (RHSA-2024:5814) that addresses these issues by updating the nodejs:20 module. The advisory rates the severity as moderate and provides updated packages for multiple RHEL 8 architectures and extended life cycle versions.
Potential Impact
The vulnerabilities could lead to denial of service conditions or unauthorized bypass of filesystem permission checks in Node.js applications running on affected Red Hat Enterprise Linux 8 systems. This may allow attackers to circumvent security restrictions or cause application crashes. The overall security impact is rated moderate by Red Hat Product Security.
Mitigation Recommendations
Red Hat has released an official security update for the nodejs:20 module in Red Hat Enterprise Linux 8 that addresses these vulnerabilities. Users should apply the update as described in the Red Hat advisory RHSA-2024:5814 and the referenced article https://access.redhat.com/articles/11258 to remediate the issues. No additional mitigation steps are indicated beyond applying the official update.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2024:5814
- Cve Count
- 4
- Additional Cves
- ["CVE-2024-22020","CVE-2024-28863","CVE-2024-36137"]
- Cvss Version
- null
Threat ID: 6a483cbb27e9c79719d82fd4
Added to database: 07/03/2026, 22:50:35 UTC
Last enriched: 07/03/2026, 23:05:59 UTC
Last updated: 07/04/2026, 08:51:17 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.