import-in-the-middle allows unsanitized user controlled input in module generation
CVE-2023-38704

8.1HIGH

Key Information:

Vendor: Datadog
Status: Import-in-the-middle
Vendor: CVE Published:; 7 August 2023

What is CVE-2023-38704?

The import-in-the-middle module from DataDog is vulnerable to a remote code execution exploit due to improper handling of user-supplied input in the import() function. This issue arises from its method of generating a wrapper module that loads the original module, which can be manipulated when an application directly passes unverified user inputs. The vulnerability has been fixed in version 1.4.2, and users are advised to refrain from using dynamic imports with user inputs. Instead, valid input should be strictly checked against an established whitelist. If the use of ESM modules is unnecessary, ensure that no loader hooks are enabled by adjusting command-line options or the NODE_OPTIONS environment variable.

Affected Version(s)

import-in-the-middle < 1.4.2

References

https://github.com/DataDog/import-in-the-middle/security/...

x_refsource_CONFIRM

https://github.com/DataDog/import-in-the-middle/commit/25...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 7, 2023
Vulnerability Reserved
Jul 24, 2023

Datadog

What is CVE-2023-38704?

Affected Version(s)

References

CVSS V3.1

Timeline