CVE-2023-39333

CWE-94Code Injection7 documents6 sources
Severity
5.3MEDIUM
EPSS
0.1%
top 73.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nodejs Node
Timeline
PublishedSep 7

Description

Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability affects users of any active release line of Node.js. The vulnerable feature is only available if Node.js is started with the `--experimental-wasm-modules` command line option.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

CVEListV5nodejs/node4.04.*+16
Alpinenodejs< 18.18.2-r0+6
Debiannodejs< 18.19.0+dfsg-6~deb12u1+2

🔴Vulnerability Details

4
OSV
CVE-2023-39333: Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code2024-09-07
OSV
CVE-2023-39333: Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code2024-09-07
GHSA
GHSA-wj24-gwh6-mgh8: Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code2024-09-07
CVEList
CVE-2023-39333: Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code2024-09-07

📋Vendor Advisories

2
Red Hat
nodejs: code injection via WebAssembly export names2023-10-13
Debian
CVE-2023-39333: nodejs - Maliciously crafted export names in an imported WebAssembly module can inject Ja...2023
CVE-2023-39333 (MEDIUM CVSS 5.3) | Maliciously crafted export names in | cvebase.io