CVE-2021-22921
📋 TL;DR
This vulnerability allows local attackers on Windows systems to escalate privileges through PATH and DLL hijacking attacks. It affects Node.js installations where improper directory permissions enable attackers to place malicious files that get executed with elevated privileges. Users running vulnerable Node.js versions on Windows are affected.
💻 Affected Systems
- Node.js
📦 What is this software?
Node.js by Nodejs
Node.js by Nodejs
Node.js by Nodejs
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM/administrator privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement.
Likely Case
Local user with limited privileges escalates to administrator rights, potentially installing malware, accessing sensitive data, or modifying system configurations.
If Mitigated
With proper file permissions and user access controls, attack surface is reduced but still possible if initial access is obtained.
🎯 Exploit Status
Exploitation requires local access to the Windows system. Attack vectors include placing malicious executables or DLLs in improperly secured Node.js installation directories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Node.js 12.22.2, 14.17.2, 16.4.1 or later
Vendor Advisory: https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
Restart Required: No
Instructions:
1. Download and install patched Node.js version from nodejs.org. 2. Replace existing installation with updated version. 3. Verify installation with 'node --version' command.
🔧 Temporary Workarounds
Restrict Node.js directory permissions
windowsManually set proper permissions on Node.js installation directory to prevent unauthorized file writes
icacls "C:\Program Files\nodejs" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F" /grant:r "Users:(OI)(CI)RX"
Use alternative installation methods
windowsInstall Node.js via package managers that handle permissions properly or use containerized deployments
choco install nodejs
scoop install nodejs
🧯 If You Can't Patch
- Implement strict file system permissions on Node.js installation directories
- Monitor for unauthorized file creation/modification in Node.js directories using file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Check Node.js version with 'node --version' and compare against affected versions. Also verify Windows OS and installation directory permissions.Check Version:
node --versionVerify Fix Applied:
Run 'node --version' to confirm version is 12.22.2, 14.17.2, 16.4.1 or higher. Verify directory permissions restrict write access to non-administrative users.📡 Detection & Monitoring
Log Indicators:
- File creation/modification events in Node.js installation directories by non-admin users
- Process execution from Node.js directories with unexpected parent processes
Network Indicators:
- Unusual outbound connections from Node.js processes running with elevated privileges
SIEM Query:
EventID=4663 OR EventID=4656 WHERE ObjectName LIKE '%nodejs%' AND SubjectUserName NOT IN ('SYSTEM', 'Administrators')🔗 References
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://hackerone.com/reports/1211160
- https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
- https://security.netapp.com/advisory/ntap-20210805-0003/
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://hackerone.com/reports/1211160
- https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
- https://security.netapp.com/advisory/ntap-20210805-0003/
