Diffie-Hellman Key Generation Issue in Node.js
CVE-2023-30590

7.5HIGH

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 28 November 2023

What is CVE-2023-30590?

A misconfiguration in the generateKeys() API function of Node.js leads to improper key generation behavior. The function only generates a private key if none has been set and fails to compute the corresponding public key appropriately after a private key is set. While the documentation suggests it generates both private and public keys, the actual behavior deviates significantly, exposing applications reliant on these APIs to potential security risks. This discrepancy poses broad implications for application-level security, particularly where Diffie-Hellman is employed as a foundational element.

Affected Version(s)

Node 4.0 < 4.*

Node 5.0 < 5.*

Node 6.0 < 6.*

References

https://nodejs.org/en/blog/vulnerability/june-2023-securi...

https://lists.debian.org/debian-lts-announce/2024/03/msg0...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 28, 2023
Vulnerability Reserved
Apr 13, 2023

Nodejs

What is CVE-2023-30590?

Affected Version(s)

References

CVSS V3.1

Timeline