CVE-2023-30585: 
Node.js vulnerability analysis and mitigation

A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. The vulnerability (CVE-2023-30585) was disclosed in June 2023 and affects all active Node.js versions (v16, v18, and v20). The issue emerges during the repair operation when the 'msiexec.exe' process runs under the NT AUTHORITY\SYSTEM context (Node Release).

The vulnerability occurs when the 'msiexec.exe' process attempts to read the %USERPROFILE% environment variable from the current user's registry. When the path referenced by the %USERPROFILE% environment variable does not exist, the process attempts to create the specified path in an unsafe manner. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability can lead to the creation of arbitrary folders in arbitrary locations on the affected system. Since the %USERPROFILE% environment variable in the Windows registry can be modified by standard (non-privileged) users, malicious entities or trojans can manipulate the environment variable key to deceive the privileged 'msiexec.exe' process. This manipulation enables the creation of folders in unintended and potentially malicious locations (Node Release).

The vulnerability has been fixed in Node.js versions v16.20.1, v18.16.1, and v20.3.1. Users are advised to upgrade to these or later versions to address the security issue. The fix was implemented by Tobias Nießen after the vulnerability was reported by @sim0nsecurity (Node Release).