Share via

CVE-2024-48510 - Critical Severity Security Vulnerabilities in Azure Functions Node Docker Image - mcr.microsoft.com/azure-functions/node:4-node22

Sundaramoorthy, Manikandan 20 Reputation points
Feb 5, 2025, 10:31 PM

Defender for cloud reporting CVE-2024-48510 - Critical Severity Security Vulnerability in mcr.microsoft.com/azure-functions/node:4-node22
DotNetZip v.1.16.0 and earlier versions are vulnerable to a Directory Traversal vulnerability.

Noticed same issue in nightly image mcr.microsoft.com/azure-functions/node:4-nightly-node22

Is there any fixed image available to use?

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,404 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,491 questions
{count} votes

Accepted answer
  1. Loknathsatyasaivarma Mahali 430 Reputation points Microsoft Vendor
    Feb 10, 2025, 7:13 AM

    Hello @Sundaramoorthy, Manikandan,

    Thank you for providing the necessary details. I have consulted with the Azure Functions engineering team and am sharing the following information. Team has investigated further and confirmed that they are working on Fix to mitigate this issue, and the fix will be rolled in the next releases of core tools.

    Unfortunately, we don't have any exact ETA at this moment once the fix is rolled out will update the thread here.

    Meanwhile as a workaround you can mitigate this issue by either editing the package.json to remove the Dev Dependency or running this command as part of the Docker File.
    npm uninstall azure-functions-core-tools --save-dev

    Hope this helps, let me know if you have any further questions on this.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.