CVE-2023-32558

CWE-22Path Traversal5 documents5 sources
Severity
7.5HIGH
EPSS
0.2%
top 58.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nodejs NodeNodejs Node.js
Timeline
PublishedSep 12
Latest updateSep 15

Description

The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

CVEListV5nodejs/node4.04.*+14
NVDnodejs/node.js20.0.020.5.1

🔴Vulnerability Details

2
GHSA
GHSA-h9p4-9jqg-j34h: The use of the deprecated API `process2023-09-15
CVEList
CVE-2023-32558: The use of the deprecated API `process2023-09-12

📋Vendor Advisories

2
Red Hat
nodejs: process.binding() can bypass the permission model through path traversal2023-08-09
Debian
CVE-2023-32558: nodejs - The use of the deprecated API `process.binding()` can bypass the permission mode...2023
CVE-2023-32558 (HIGH CVSS 7.5) | The use of the deprecated API `proc | cvebase.io