PT-2023-7025 · Node.Js+6 · Node.Js+6
Dittyroma
·
Published
2023-07-28
·
Updated
2026-05-18
·
CVE-2023-39333
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Node.js versions prior to the fixed version
Description
Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This issue affects users of any active release line of Node.js, but the vulnerable feature is only available if Node.js is started with the
--experimental-wasm-modules command line option.Recommendations
As a temporary workaround, consider disabling the
--experimental-wasm-modules command line option until a patch is available.
Restrict access to the WebAssembly module to minimize the risk of exploitation.
Avoid using the vulnerable feature until the issue is resolved.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.Code Injection
Improper Neutralization
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Almalinux
Centos
Node.Js
Red Hat
Red Os
Rocky Linux
Suse