CVE-2023-30586: 
Node.js vulnerability analysis and mitigation

A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled. The vulnerability, tracked as CVE-2023-30586, was discovered in Node.js version 20.0.0 and affects the experimental permission model feature. The issue was patched in Node.js version 20.3.1, released in June 2023 (Node Blog).

The vulnerability allows loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. Specifically, the crypto.setEngine() API can be used to bypass the permission model when called with a compatible OpenSSL engine. The OpenSSL engine can disable the permission model in the host process by manipulating the process's stack memory to locate the Permission::enabled_ in the host process's heap memory. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD).

Successful exploitation of this vulnerability could lead to privilege escalation, allowing attackers to bypass and disable the experimental permission model. This could result in unauthorized access and modification of data that should be restricted by the permission model (NetApp Advisory).

The vulnerability has been fixed in Node.js version 20.3.1. Users are advised to upgrade to this version or later to address the issue. It's important to note that this vulnerability only affects systems using the experimental permission model feature in Node.js 20 (Node Blog).