Path Traversal Vulnerability in Node.js Experimental Feature
CVE-2023-39331

7.7HIGH

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 18 October 2023

What is CVE-2023-39331?

A newly identified path traversal vulnerability in the experimental feature of Node.js allows an application to overwrite built-in utility functions with user-defined implementations. This issue stems from inadequate protection mechanisms in the implementation, which can lead to unintended behavior and security breaches. Organizations using Node.js should review their implementations and apply relevant mitigations to safeguard against potential exploitation.

Affected Version(s)

Node 4.0 < 4.*

Node 5.0 < 5.*

Node 6.0 < 6.*

References

https://hackerone.com/reports/2092852

https://security.netapp.com/advisory/ntap-20231116-0009/

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

CVSS V3.0

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 18, 2023
Vulnerability Reserved
Jul 28, 2023

Nodejs

What is CVE-2023-39331?

Affected Version(s)

References

CVSS V3.1

CVSS V3.0

Timeline