CVE-2023-30587: 
Node.js vulnerability analysis and mitigation

A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector). By exploiting the Worker class's ability to create an "internal worker" with the kIsInternal Symbol, attackers can modify the isInternal value when an inspector is attached within the Worker constructor before initializing a new WorkerImpl. This vulnerability exclusively affects Node.js users employing the permission model mechanism, which was an experimental feature at the time of discovery (Node.js Blog).

The vulnerability allows attackers to bypass security restrictions by exploiting the Worker class functionality in Node.js. The attack vector involves manipulating the isInternal value during the Worker constructor execution, specifically when an inspector is attached before the WorkerImpl initialization. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating it can be exploited remotely without requiring privileges or user interaction (CISA-ADP).

The successful exploitation of this vulnerability could lead to the disclosure of sensitive information or addition or modification of data. The vulnerability specifically impacts the security boundaries established by the experimental permission model in Node.js, potentially allowing attackers to bypass intended access restrictions (NetApp Advisory).

The vulnerability has been fixed in Node.js version 20.3.1. Users running affected versions should upgrade to this patched version or later to mitigate the security risk (Node.js Blog).