Path Traversal Vulnerability in Node.js Libraries
CVE-2023-39332

9.8CRITICAL

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 18 October 2023

What is CVE-2023-39332?

A path traversal vulnerability exists in Node.js due to improper handling of Uint8Array objects in file system operations. While Node.js includes protections against path traversal for strings and Buffer objects, it fails to implement similar safeguards for non-Buffer Uint8Array instances. This allows attackers to exploit file access pathways beyond intended directories, posing significant security risks. The vulnerability emerges amid the experimental permission model in Node.js, which heightens the need for caution in applications utilizing these features.

Affected Version(s)

Node 4.0 < 4.*

Node 5.0 < 5.*

Node 6.0 < 6.*

References

https://hackerone.com/reports/2199818

https://lists.fedoraproject.org/archives/list/package-ann...

https://security.netapp.com/advisory/ntap-20231116-0009/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 18, 2023
Vulnerability Reserved
Jul 28, 2023

JSON

Nodejs

What is CVE-2023-39332?

Affected Version(s)

References

CVSS V3.1

Timeline