CVE-2023-39332: 
npm vulnerability analysis and mitigation

Various node:fs functions in Node.js allow specifying paths as either strings or Uint8Array objects. The vulnerability (CVE-2023-39332) exists because Node.js prevents path traversal through strings (CVE-2023-30584) and Buffer objects (CVE-2023-32004), but fails to prevent path traversal through non-Buffer Uint8Array objects. This vulnerability was discovered and reported in October 2023, affecting Node.js versions up to 20.8.0 (Node.js Blog).

The vulnerability stems from an incomplete path traversal protection mechanism in Node.js. While the system implements safeguards against path traversal attacks using strings and Buffer objects, it fails to extend this protection to non-Buffer Uint8Array objects. This oversight is particularly significant because in Node.js environments, the Buffer class extends the Uint8Array class. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its severe impact potential (NVD).

The successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The high CVSS score reflects the potential for complete compromise of system confidentiality, integrity, and availability (NetApp Advisory).

The vulnerability has been patched in Node.js version 20.8.1. Users are strongly advised to upgrade to this version or later to address the security issue. The fix was developed and contributed by Tobias Nießen, who also reported the vulnerability (Node.js Blog).