High Severity Vulnerability: CVE-2024-21538 in hydrogen-alpine

[Appstute-Arati]

CVE ID: GHSA-3xgq-45jj-v275
Severity: High
Affected Module: hydrogen-alpine
Description: The vulnerability allows an attacker to exploit an insecure configuration or flaw in the container to gain unauthorized access, escalate privileges, or execute arbitrary code remotely.

Recommendations:

Upgrade to the latest version of hydrogen-alpine where the issue has been fixed.
Patch the vulnerability by updating affected components in the container (e.g., dependencies).
References:

GHSA-3xgq-45jj-v275
Related advisory or patch from the maintainers, if any.

[nschonni]

https://github.com/nodejs/docker-node/blob/main/SECURITY.md

[gnowland]

@nschonni this CVE requires an update to npm to fix: npm/cli#7902 (comment)

I read through the README.md and SECURITY.md but wasn't clear about the procedure to trigger an update/rebuild when a new version of bundled npm cli is released...

EDIT: Ah, I suppose the Node.js team need to release a patch version to update the bundled npm version, which will then trigger a release of the node image... I'll reach out to them.

[Xyloto91]

@gnowland do you now when patch version will be released?

[bedla]

@gnowland do you have ticket we can follow -> I mean from context of your message "I'll reach out to them". Thank you

[gnowland]

sorry for the delay, npm v10.9.2 was released with Node.js v23.4.0 on Tuesday (2024-12-10).