CVE-2023-32003

Name of the Vulnerable Software and Affected Versions Node.js versions 20

Description The issue arises from a missing check in the fs.mkdtemp() API, allowing a malicious actor to bypass the permission model check using a path traversal attack. This can lead to the creation of an arbitrary directory. The vulnerability affects all users using the experimental permission model in Node.js.

Recommendations For Node.js version 20, consider disabling the fs.mkdtemp() and fs.mkdtempSync() functions until a patch is available to prevent exploitation. Restrict access to the vulnerable API endpoints to minimize the risk of arbitrary directory creation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.