PT-2023-29492 · Fsevents · Fsevents
Published
2023-10-06
·
Updated
2025-11-25
·
CVE-2023-45311
CVSS v3.1
9.8
9.8
Critical
| Base vector | Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
fsevents versions prior to 1.2.11
Description
The issue arises from fsevents depending on a specific URL, https://fsevents-binaries.s3-us-west-2.amazonaws.com, which could potentially allow an adversary to execute arbitrary code if a JavaScript project that depends on fsevents distributes code obtained from this URL when it was under an adversary's control.
Recommendations
For versions prior to 1.2.11, update to version 1.2.11 or later to resolve the issue. As a temporary workaround, consider avoiding the use of code obtained from the specified URL until the update is applied.
Exploit
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com
Weakness Enumeration
Related Identifiers
CVE-2023-45311
GHSA-8R6J-V8PM-FQW3
Affected Products
Fsevents
References · 26
- 🔥 https://github.com/cloudflare/serverless-cloudflare-workers/blob/e95e1e9c9770ed9a3d9480c1fa73e64391268354/package-lock.json#L737⭐ 175 🔗 37 · Exploit
- 🔥 https://github.com/cloudflare/authr/blob/3f6129d97d06e61033a7f237d84e35e678db490f/ts/package-lock.json#L1512⭐ 49 🔗 13 · Exploit
- 🔥 https://github.com/cloudflare/redux-grim/blob/b652f99f95fb16812336073951adc5c5a93e2c23/package-lock.json#L266-L267⭐ 21 🔗 9 · Exploit
- 🔥 https://github.com/cloudflare/hugo-cloudflare-docs/blob/e0f7cfa195af8ef1bfa51a487be7d34ba298ed06/package-lock.json#L494⭐ 14 🔗 9 · Exploit
- 🔥 https://github.com/atlassian/react-immutable-proptypes/blob/ddb9fa5194b931bf7528eb4f2c0a8c3434f70edd/package-lock.json#L153 🔗 2 · Exploit
- 🔥 https://github.com/atlassian/moo/blob/56ccbdd41b493332bc2cd7a4097a5802594cdb9c/package-lock.json#L1901-L1902 🔗 2 · Exploit
- https://github.com/fsevents/fsevents/compare/v1.2.10...v1.2.11⭐ 572 🔗 118 · Vendor Advisory
- https://osv.dev/vulnerability/UBUNTU-CVE-2023-45311 · Vendor Advisory
- https://ubuntu.com/security/CVE-2023-45311 · Vendor Advisory
- https://cve.org/CVERecord?id=CVE-2023-45311 · Security Note
- https://osv.dev/vulnerability/GHSA-8r6j-v8pm-fqw3 · Vendor Advisory
- https://osv.dev/vulnerability/CVE-2023-45311 · Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2023-45311 · Security Note
- https://github.com/tornadoweb/tornado⭐ 22360 🔗 5544 · Note
- https://github.com/pypiserver/pypiserver⭐ 1980 🔗 321 · Note