CVE-2023-30587

CWE-284Improper Access Control6 documents6 sources
Severity
7.5HIGH
EPSS
0.0%
top 97.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nodejs Node
Timeline
PublishedSep 7

Description

A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector). By exploiting the Worker class's ability to create an "internal worker" with the kIsInternal Symbol, attackers can modify the isInternal value when an inspector is attached within the Worker constructor before initializing a new WorkerImpl. This vulnerability exclusively affects Node.js users employing the permission model mechan

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

CVEListV5nodejs/node4.04.*+14

🔴Vulnerability Details

2
GHSA
GHSA-c595-v5xp-gv8w: A vulnerability in Node2024-09-07
CVEList
CVE-2023-30587: A vulnerability in Node2024-09-07

📋Vendor Advisories

2
Red Hat
nodejs: inspector protocol bypass the experimental permission model2023-06-20
Debian
CVE-2023-30587: nodejs - A vulnerability in Node.js version 20 allows for bypassing restrictions set by t...2023

💬Community

1
HackerOne
Permissions policies can be bypassed via Module._load and require.extensions (High) (CVE-2023-30587)2023-11-30
CVE-2023-30587 (HIGH CVSS 7.5) | A vulnerability in Node.js version | cvebase.io