Denial of Service Vulnerability in Node.js by Invalid x509 Certificate Handling
CVE-2023-30588

5.3MEDIUM

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 28 November 2023

What is CVE-2023-30588?

A vulnerability exists in the handling of x509 certificates when an invalid public key is input through the crypto.X509Certificate() API. This flaw may lead to unexpected termination of the application, making it susceptible to Denial of Service (DoS) attacks. When an attacker provides an improper public key to create an x509 certificate, the application could cease operating due to interruptions during the processing of public key information. As a result, the active user context is lost, creating potential access issues in application logic. All active Node.js versions v16, v18, and v20 are impacted by this vulnerability.

Affected Version(s)

Node 4.0 < 4.*

Node 5.0 < 5.*

Node 6.0 < 6.*

References

https://nodejs.org/en/blog/vulnerability/june-2023-securi...

https://security.netapp.com/advisory/ntap-20240621-0006/

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 28, 2023
Vulnerability Reserved
Apr 13, 2023

Nodejs

What is CVE-2023-30588?

Affected Version(s)

References

CVSS V3.1

Timeline