PT-2023-4526 · Node.Js · Node.Js

Colin Ihrig

Published

2023-06-20

Updated

2024-12-16

CVE-2023-30582

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Node.js version 20

Description A flaw has been identified in the experimental permission model of Node.js when the --allow-fs-read flag is used with a non-* argument. This issue arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API, allowing malicious actors to monitor files they do not have explicit read access to.

Recommendations For Node.js version 20, consider disabling the experimental permission model or restricting the use of the --allow-fs-read flag with non-* arguments until a patch is available. As a temporary workaround, avoid using the fs.watchFile API with sensitive files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264CWE-284

Related Identifiers

BDU:2023-04929

BIT-NODE-2023-30582

BIT-NODE-MIN-2023-30582

CVE-2023-30582

MGASA-2023-0226

OPENSUSE-SU-2024:13021-1

Affected Products

Node.Js

PT-2023-4526 · Node.Js · Node.Js

CVE-2023-30582

Weakness Enumeration

Related Identifiers

Affected Products

References · 28