Vulnerability DatabaseCVE-2023-30583

CVE-2023-30583:
Node.js vulnerability analysis and mitigation

Overview

A vulnerability has been identified in Node.js version 20, where fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the --allow-fs-read flag. This flaw arises from a missing check in the fs.openAsBlob() API. The vulnerability was disclosed in June 2023 and affects all users using the experimental permission model in Node.js 20 (Node.js Blog).

Technical details

The vulnerability is tracked as CVE-2023-30583 and has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability exists in the fs.openAsBlob() API implementation, which fails to properly check permissions when the experimental permission model is enabled with the --allow-fs-read flag (NetApp Security).

Impact

Successful exploitation of this vulnerability could lead to disclosure of sensitive information by bypassing the file system read restrictions that were intended to be enforced by the experimental permission model (NetApp Security).

Mitigation and workarounds

The vulnerability has been fixed in Node.js version 20.3.1. Users running affected versions should upgrade to this patched version or later to address the security issue (Node.js Blog).