CVE-2023-30583

CWE-284Improper Access Control5 documents5 sources
Severity
7.5HIGH
EPSS
0.0%
top 94.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nodejs Node
Timeline
PublishedSep 7

Description

fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

CVEListV5nodejs/node4.04.*+14

🔴Vulnerability Details

2
CVEList
CVE-2023-30583: fs2024-09-07
GHSA
GHSA-9ccp-4gjg-264g: fs2024-09-07

📋Vendor Advisories

2
Red Hat
nodejs: fs.openAsBlob bypass in experimental permission model2023-06-20
Debian
CVE-2023-30583: nodejs - fs.openAsBlob() can bypass the experimental permission model when using the file...2023
CVE-2023-30583 (HIGH CVSS 7.5) | fs.openAsBlob() can bypass the expe | cvebase.io