import-in-the-middle allows unsanitized user controlled input in module generation
CVE-2023-38704

8.1HIGH

Key Information:

Vendor: Datadog
Status: Import-in-the-middle
Vendor: CVE Published:; 7 August 2023

What is CVE-2023-38704?

The import-in-the-middle module from DataDog is vulnerable to a remote code execution exploit due to improper handling of user-supplied input in the import() function. This issue arises from its method of generating a wrapper module that loads the original module, which can be manipulated when an application directly passes unverified user inputs. The vulnerability has been fixed in version 1.4.2, and users are advised to refrain from using dynamic imports with user inputs. Instead, valid input should be strictly checked against an established whitelist. If the use of ESM modules is unnecessary, ensure that no loader hooks are enabled by adjusting command-line options or the NODE_OPTIONS environment variable.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

import-in-the-middle < 1.4.2

References

https://github.com/DataDog/import-in-the-middle/security/...

x_refsource_CONFIRM

https://github.com/DataDog/import-in-the-middle/commit/25...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Aug 7, 2023
Vulnerability Reserved
Jul 24, 2023

JSON

Datadog

What is CVE-2023-38704?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.