Path Traversal Vulnerability in Node.js by OpenJS Foundation
CVE-2023-32558

7.5HIGH

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 12 September 2023

What is CVE-2023-32558?

This security issue stems from the usage of the deprecated API process.binding(), which poses a risk by allowing path traversal that can potentially bypass the permission model. This vulnerability specifically impacts users engaged with the experimental permission model in Node.js 20.x, necessitating prompt attention and remediation.

Affected Version(s)

Node 4.0 < 4.*

Node 5.0 < 5.*

Node 6.0 < 6.*

References

https://hackerone.com/reports/2051257

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 12, 2023
Vulnerability Reserved
May 10, 2023

Nodejs

What is CVE-2023-32558?

Affected Version(s)

References

CVSS V3.1

Timeline