Path Traversal Vulnerability in Node.js 20 Experimental Permission Model
CVE-2023-32003

5.3MEDIUM

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 15 August 2023

What is CVE-2023-32003?

A significant flaw has been identified in Node.js 20, affecting users of its experimental permission model. The vulnerability arises from the fs.mkdtemp() and fs.mkdtempSync() functions, which can be exploited through a path traversal attack. The lack of proper permission checks allows malicious actors to create arbitrary directories, which could lead to further exploitation within an application. This issue emphasizes the importance of robust permission checks, particularly in experimental features like the permission model of Node.js.

Affected Version(s)

Node 4.0 < 4.*

Node 5.0 < 5.*

Node 6.0 < 6.*

References

https://hackerone.com/reports/2037887

https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 15, 2023
Vulnerability Reserved
May 1, 2023

Nodejs

What is CVE-2023-32003?

Affected Version(s)

References

CVSS V3.1

Timeline