{"api_version":"1","generated_at":"2026-04-23T08:15:22+00:00","cve":"CVE-2021-22921","urls":{"html":"https://cve.report/CVE-2021-22921","api":"https://cve.report/api/cve/CVE-2021-22921.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-22921","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-22921"},"summary":{"title":"CVE-2021-22921","description":"Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.","state":"PUBLIC","assigner":"support@hackerone.com","published_at":"2021-07-12 11:15:00","updated_at":"2022-04-06 14:30:00"},"problem_types":["CWE-732"],"metrics":[],"references":[{"url":"https://security.netapp.com/advisory/ntap-20210805-0003/","name":"https://security.netapp.com/advisory/ntap-20210805-0003/","refsource":"CONFIRM","tags":[],"title":"July 2021 Node.js Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/","name":"https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/","refsource":"MISC","tags":[],"title":"July 2021 Security Releases | Node.js","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf","name":"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf","refsource":"CONFIRM","tags":[],"title":"","mime":"application/pdf","httpstatus":"200","archivestatus":"200"},{"url":"https://hackerone.com/reports/1211160","name":"https://hackerone.com/reports/1211160","refsource":"MISC","tags":[],"title":"HackerOne","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-22921","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22921","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"22921","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"22921","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"22921","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"22921","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"siemens","cpe5":"sinec_infrastructure_network_services","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-22921","qid":"375691","title":"Node.js Multiple Vulnerabilities July 2021"},{"cve":"CVE-2021-22921","qid":"690034","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for node.js (c174118e-1b11-11ec-9d9d-0022489ad614)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-22921","ASSIGNER":"support@hackerone.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"https://github.com/nodejs/node","version":{"version_data":[{"version_value":"Fixed in 16.4.1, 14.17.2, and 12.22.2"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Incorrect Permission Assignment for Critical Resource (CWE-732)"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/","url":"https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/"},{"refsource":"MISC","name":"https://hackerone.com/reports/1211160","url":"https://hackerone.com/reports/1211160"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20210805-0003/","url":"https://security.netapp.com/advisory/ntap-20210805-0003/"},{"refsource":"CONFIRM","name":"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"}]},"description":{"description_data":[{"lang":"eng","value":"Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking."}]}},"nvd":{"publishedDate":"2021-07-12 11:15:00","lastModifiedDate":"2022-04-06 14:30:00","problem_types":["CWE-732"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:M/Au:N/C:P/I:P/A:P","accessVector":"LOCAL","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":4.4},"severity":"MEDIUM","exploitabilityScore":3.4,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*","versionStartIncluding":"12.0.0","versionEndExcluding":"12.22.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*","versionStartIncluding":"14.0.0","versionEndExcluding":"14.17.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*","versionStartIncluding":"16.0.0","versionEndExcluding":"16.4.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*","versionEndExcluding":"1.0.1.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"22921","Ordinal":"197654","Title":"CVE-2021-22921","CVE":"CVE-2021-22921","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"22921","Ordinal":"1","NoteData":"Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"22921","Ordinal":"2","NoteData":"2021-07-12","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"22921","Ordinal":"3","NoteData":"2021-08-05","Type":"Other","Title":"Modified"}]}}}