CVE-2023-38704: 
JavaScript vulnerability analysis and mitigation

import-in-the-middle is a module loading interceptor specifically for ESM modules. A vulnerability was discovered in versions prior to 1.4.2 that allows for remote code execution when an application passes user-supplied input directly to the import() function. The vulnerability was disclosed on August 7, 2023, and has been assigned CVE-2023-38704 (NVD, GitHub Advisory).

The vulnerability exists in the import-in-the-middle loader's wrapper module generation process. The loader generates a wrapper module on the fly, which uses the module specifier to load the original module and add wrapping code. The issue stems from insufficient sanitization of user-controlled input in the module generation process. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL by NIST (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and 8.1 HIGH by GitHub (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L) (NVD).

When exploited, this vulnerability can lead to remote code execution on systems where an application passes user-supplied input directly to the import() function. This could potentially allow attackers to execute arbitrary code in the context of the application (GitHub Advisory).

The vulnerability has been patched in import-in-the-middle version 1.4.2. For those unable to update immediately, two workarounds are available: 1) Do not pass any user-supplied input to import(); instead, verify it against a set of allowed values, and 2) If using import-in-the-middle and EcmaScript Modules support is not needed, ensure that no options are set (via command-line or NODE_OPTIONS environment variable) that would enable loader hooks (GitHub Advisory).