CVE-2023-32003

CVSS 3.1 Score 5.3 of 10 (medium)

Details

Published Aug 15, 2023
Updated: Sep 21, 2023
CWE ID 22

Summary

CVE-2023-32003 is a vulnerability affecting Node.js version 20 that permits bypassing the permission model check through a path traversal attack using the `fs.mkdtemp()` and `fs.mkdtempSync()` functions. The issue arises due to a missing check in the `fs.mkdtemp()` API, enabling malicious actors to create arbitrary directories. This vulnerability impacts all users who employ the experimental permission model in Node.js 20. It is important to note that the permission model in Node.js 20 is an experimental feature, and its exploitation may lead to serious consequences.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

  • Nodejs Node.js
  • Fedora Operating System

Affected Vendors

  • Fedora Project