CVE-2021-22921 Overview
CVE-2021-22921 is a local privilege escalation vulnerability affecting Node.js on Windows platforms. The vulnerability stems from improper configuration of permissions in the installation directory, which allows attackers to perform two distinct escalation attacks: PATH hijacking and DLL hijacking. This vulnerability affects Node.js versions before 16.4.1, 14.17.2, and 12.22.2.
Critical Impact
Local attackers can exploit insecure directory permissions to achieve privilege escalation on Windows systems running vulnerable Node.js versions through PATH or DLL hijacking techniques.
Affected Products
- Node.js versions prior to 16.4.1
- Node.js versions prior to 14.17.2 (LTS)
- Node.js versions prior to 12.22.2 (LTS)
- Siemens SINEC Infrastructure Network Services (uses affected Node.js versions)
Discovery Timeline
- 2021-07-12 - CVE-2021-22921 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-22921
Vulnerability Analysis
This vulnerability is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource). The flaw allows local attackers without any special privileges to exploit insecure file permissions within the Node.js installation directory on Windows systems. When a user interacts with the vulnerable Node.js installation (for example, by executing node commands), malicious code planted by an attacker can be executed with elevated privileges.
The vulnerability enables two attack vectors: PATH hijacking, where an attacker places a malicious executable in a directory that takes precedence in the PATH environment variable, and DLL hijacking, where a malicious DLL is placed in the Node.js installation directory to be loaded by legitimate Node.js processes.
Root Cause
The root cause of CVE-2021-22921 lies in the improper configuration of file system permissions during the Node.js installation process on Windows. The installation directory is configured with overly permissive access controls, allowing non-privileged users to write files to locations that are searched during executable or library loading. This violates the principle of least privilege and creates an opportunity for local privilege escalation.
Attack Vector
The attack vector is local, requiring an attacker to have initial access to the target Windows system. The exploitation requires user interaction—specifically, a privileged user must execute Node.js or a related application that loads from the compromised directory.
The attacker workflow typically involves:
- Identifying a Node.js installation with insecure directory permissions
- Placing a malicious executable or DLL in the installation directory or a PATH-accessible location
- Waiting for a privileged user to invoke Node.js functionality
- The malicious payload executes with the privileges of the invoking user
Detailed technical information about this vulnerability can be found in the HackerOne Report #1211160 and the Node.js Vulnerability Blog Post.
Detection Methods for CVE-2021-22921
Indicators of Compromise
- Unexpected DLL files present in the Node.js installation directory (typically C:\Program Files\nodejs\)
- Unknown or suspicious executable files in directories included in the system PATH
- Unusual file modifications in the Node.js installation folder with timestamps inconsistent with legitimate updates
- Process execution anomalies where Node.js processes load DLLs from non-standard locations
Detection Strategies
- Monitor for file creation events in the Node.js installation directory by non-installer processes
- Implement application whitelisting to prevent unauthorized executables from running in trusted directories
- Use endpoint detection and response (EDR) solutions to identify DLL side-loading attempts
- Audit directory permissions on Node.js installation folders to ensure they follow the principle of least privilege
Monitoring Recommendations
- Enable Windows Security Event logging for file system auditing on the Node.js installation directory
- Configure SIEM rules to alert on DLL or EXE file creation in program directories by standard user accounts
- Implement behavioral monitoring for processes spawned by Node.js that deviate from expected patterns
- Regularly scan for weak directory permissions using tools like icacls or PowerShell permission auditing scripts
How to Mitigate CVE-2021-22921
Immediate Actions Required
- Upgrade Node.js to version 16.4.1, 14.17.2, or 12.22.2 (or later) depending on your release track
- Audit and remediate directory permissions on existing Node.js installations
- Review systems for signs of compromise before applying patches
- Restrict write access to Node.js installation directories to administrators only
Patch Information
Node.js has released security updates addressing this vulnerability. Users should update to the following patched versions:
- Node.js 16.x: Update to version 16.4.1 or later
- Node.js 14.x LTS: Update to version 14.17.2 or later
- Node.js 12.x LTS: Update to version 12.22.2 or later
For Siemens SINEC Infrastructure Network Services users, consult the Siemens Security Advisory SSA-389290 for specific guidance.
Additional vendor guidance is available in the NetApp Advisory NTAP-20210805-0003.
Workarounds
- Manually restrict directory permissions on the Node.js installation folder to allow write access only to administrators
- Implement application control policies to prevent execution of unsigned binaries in Node.js directories
- Use a dedicated, non-administrative user account for Node.js development activities
- Consider running Node.js in containerized environments where file system access can be strictly controlled
# Configuration example - Restrict Node.js directory permissions on Windows
# Run in elevated PowerShell to fix directory permissions
icacls "C:\Program Files\nodejs" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F" /grant:r "Users:(OI)(CI)RX"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
