CVE-2023-30582

Name of the Vulnerable Software and Affected Versions Node.js version 20

Description A flaw has been identified in the experimental permission model of Node.js when the --allow-fs-read flag is used with a non-* argument. This issue arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API, allowing malicious actors to monitor files they do not have explicit read access to.

Recommendations For Node.js version 20, consider disabling the experimental permission model or restricting the use of the --allow-fs-read flag with non-* arguments until a patch is available. As a temporary workaround, avoid using the fs.watchFile API with sensitive files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.