Node.js version 20 vulnerability allows bypassing restrictions through inspector module
CVE-2023-30587

7.5HIGH

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 7 September 2024

What is CVE-2023-30587?

A security vulnerability in Node.js 20 allows attackers to bypass permission restrictions established by the --experimental-permission flag through the inspector module (node:inspector). This vulnerability arises from the Worker class's capability to create an 'internal worker' utilizing the kIsInternal Symbol. By modifying the isInternal value during the initialization phase when the inspector is attached to the Worker constructor, an attacker can successfully circumvent the intended permission settings. This issue particularly impacts Node.js users who are utilizing the experimental permission model, underscoring the risks associated with transitioning features in early testing phases.

Affected Version(s)

Node 4.0 < 4.*

Node 5.0 < 5.*

Node 6.0 < 6.*

References

https://nodejs.org/en/blog/vulnerability/june-2023-securi...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 7, 2024
Vulnerability Reserved
Apr 13, 2023

Nodejs

What is CVE-2023-30587?

Affected Version(s)

References

CVSS V3.1

Timeline