Permission Model Vulnerability in Node.js by OpenJS Foundation
CVE-2023-32005

5.3MEDIUM

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 12 September 2023

What is CVE-2023-32005?

A security flaw has been identified in Node.js version 20, specifically affecting the experimental permission model when the --allow-fs-read flag is incorrectly applied to non-* arguments. This issue arises due to inadequate restrictions within the permission model, allowing unauthorized access to file statistics via the fs.statfs API. As a consequence, malicious users may access file stats without having the necessary read permissions. This vulnerability poses risks particularly to those utilizing the experimental permission model.

Affected Version(s)

Node 4.0 < 4.*

Node 5.0 < 5.*

Node 6.0 < 6.*

References

https://hackerone.com/reports/2051224

https://security.netapp.com/advisory/ntap-20231103-0004/

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 12, 2023
Vulnerability Reserved
May 1, 2023

Nodejs

What is CVE-2023-32005?

Affected Version(s)

References

CVSS V3.1

Timeline