CVE-2023-32005

Name of the Vulnerable Software and Affected Versions Node.js version 20

Description A flaw in the experimental permission model of Node.js version 20 allows malicious actors to retrieve stats from files they do not have explicit read access to when the --allow-fs-read flag is used with a non-* argument. This issue arises from an inadequate permission model that fails to restrict file stats through the fs.statfs API.

Recommendations For Node.js version 20, consider disabling the experimental permission model or restricting the use of the fs.statfs API until a patch is available. Avoid using the --allow-fs-read flag with non-* arguments to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.