CVE-2023-30586

Name of the Vulnerable Software and Affected Versions Node.js version 20

Description A privilege escalation issue exists due to insufficient access control in the crypto.setEngine() method of Node.js. This can be exploited by a remote attacker to bypass existing security restrictions. The attack complexity is high. The crypto.setEngine() API can be used to bypass the permission model when called with a compatible OpenSSL engine. The OpenSSL engine can disable the permission model in the host process by manipulating the process's stack memory to locate the permission model Permission::enabled in the host process's heap memory.

Recommendations For Node.js version 20, as a temporary workaround, consider disabling the crypto.setEngine() function until a patch is available. Restrict access to the experimental permission model to minimize the risk of exploitation. Avoid using the crypto.setEngine() API with compatible OpenSSL engines until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.