CVE-2024-48510 - Critical Severity Security Vulnerabilities in Azure Functions Node Docker Image - mcr.microsoft.com/azure-functions/node:4-node22

Question

CVE-2024-48510 - Critical Severity Security Vulnerabilities in Azure Functions Node Docker Image - mcr.microsoft.com/azure-functions/node:4-node22

Sundaramoorthy, Manikandan 20

Defender for cloud reporting CVE-2024-48510 - Critical Severity Security Vulnerability in mcr.microsoft.com/azure-functions/node:4-node22
DotNetZip v.1.16.0 and earlier versions are vulnerable to a Directory Traversal vulnerability.

Noticed same issue in nightly image mcr.microsoft.com/azure-functions/node:4-nightly-node22

Is there any fixed image available to use?

Loknathsatyasaivarma Mahali 795 Reputation points Microsoft External Staff

2025-02-06T01:30:18.08+00:00

Hello @Sundaramoorthy, Manikandan,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

We apologize for the inconvenience. Please allow us some time to consult with our internal experts regarding the available image that is ready for use.

We appreciate your patience.
Loknathsatyasaivarma Mahali 795 Reputation points Microsoft External Staff

2025-02-06T05:37:39.0866667+00:00

Hello @Sundaramoorthy, Manikandan,
Also, can you please share the us the below details, this will help us in investigating the issue further and provide you with the appropriate solution.

As we have created two images on both mcr.microsoft.com/azure-functions/node:4-node22 and the nightly one and Defender for Cloud is not showing this to me as a vulnerability. If you click on the CVE the flyout box will contain the evidence of where this is detected.

Can you share that here please?
Sundaramoorthy, Manikandan 20 Reputation points

2025-02-06T13:23:30.1766667+00:00

Evidence

/home/site/wwwroot/node_modules/azure-functions-core-tools/bin/func.deps.json

/home/site/wwwroot/node_modules/azure-functions-core-tools/bin/in-proc8/func.deps.json
Sundaramoorthy, Manikandan 20 Reputation points

2025-02-06T13:24:10.87+00:00

Evidence

/home/site/wwwroot/node_modules/azure-functions-core-tools/bin/func.deps.json

/home/site/wwwroot/node_modules/azure-functions-core-tools/bin/in-proc8/func.deps.json

Accepted answer

0 additional answers

Your answer

Loknathsatyasaivarma Mahali 795 Reputation points Microsoft External Staff

2025-02-06T01:30:18.08+00:00

Hello @Sundaramoorthy, Manikandan,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

We apologize for the inconvenience. Please allow us some time to consult with our internal experts regarding the available image that is ready for use.

We appreciate your patience.
Loknathsatyasaivarma Mahali 795 Reputation points Microsoft External Staff

2025-02-06T05:37:39.0866667+00:00

Hello @Sundaramoorthy, Manikandan,
Also, can you please share the us the below details, this will help us in investigating the issue further and provide you with the appropriate solution.

As we have created two images on both mcr.microsoft.com/azure-functions/node:4-node22 and the nightly one and Defender for Cloud is not showing this to me as a vulnerability. If you click on the CVE the flyout box will contain the evidence of where this is detected.

Can you share that here please?
Sundaramoorthy, Manikandan 20 Reputation points

2025-02-06T13:23:30.1766667+00:00

Evidence

/home/site/wwwroot/node_modules/azure-functions-core-tools/bin/func.deps.json

/home/site/wwwroot/node_modules/azure-functions-core-tools/bin/in-proc8/func.deps.json
Sundaramoorthy, Manikandan 20 Reputation points

2025-02-06T13:24:10.87+00:00

Evidence

/home/site/wwwroot/node_modules/azure-functions-core-tools/bin/func.deps.json

/home/site/wwwroot/node_modules/azure-functions-core-tools/bin/in-proc8/func.deps.json

Answer 1

Loknathsatyasaivarma Mahali 795 Microsoft External Staff

Hello @Sundaramoorthy, Manikandan,

Thank you for providing the necessary details. I have consulted with the Azure Functions engineering team and am sharing the following information. Team has investigated further and confirmed that they are working on Fix to mitigate this issue, and the fix will be rolled in the next releases of core tools.

Unfortunately, we don't have any exact ETA at this moment once the fix is rolled out will update the thread here.

Meanwhile as a workaround you can mitigate this issue by either editing the package.json to remove the Dev Dependency or running this command as part of the Docker File.
npm uninstall azure-functions-core-tools --save-dev

Hope this helps, let me know if you have any further questions on this.

Loknathsatyasaivarma Mahali 795 Reputation points Microsoft External Staff

2025-02-10T16:24:27.8733333+00:00

Hello @Sundaramoorthy, Manikandan,

If the response fully addressed your question, I kindly request you to mark the answer as accepted. This helps others in the community find the solution more easily and confirms that the issue is resolved.

If you have any further questions or need additional assistance, please don’t hesitate to let me know.

Thank you for your time and cooperation!

Share via

CVE-2024-48510 - Critical Severity Security Vulnerabilities in Azure Functions Node Docker Image - mcr.microsoft.com/azure-functions/node:4-node22

0 additional answers

Your answer