CVE-2023-45311: 
JavaScript vulnerability analysis and mitigation

fsevents before version 1.2.11 contains a vulnerability where it depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL for loading binaries. This dependency could potentially allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code obtained from that URL when it was under adversary control. The vulnerability was discovered and disclosed on October 6, 2023 (NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue stems from the package's dependency on a hardcoded S3 bucket URL for loading binary files, which could be potentially compromised by malicious actors. The vulnerability is tracked as CWE-94 (Improper Control of Generation of Code) (NVD).

If exploited, this vulnerability could allow attackers to execute arbitrary code through compromised binaries if they gained control of the specified S3 bucket URL. This could affect any JavaScript project that depends on the vulnerable versions of fsevents and distributes code obtained from the compromised URL (NVD).

The vulnerability was fixed in version 1.2.11 by removing the dependency on the remote binary loading. Users should upgrade to fsevents version 1.2.11 or higher to mitigate this vulnerability. Additionally, AWS has blocked access to the vulnerable S3 bucket, providing an additional layer of protection (Snyk, GitHub Compare).