Rewterz Threat Advisory – Multiple Node.js Products Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2023-39333 CVSS:5.3

Node.js could allow a remote attacker to gain unauthorized access to the system, caused by a code injection flaw. By using specially crafted export names in an imported WebAssembly module, an attacker could exploit this vulnerability to inject JavaScript code and gain access to restricted data and functions.

CVE-2023-38552 CVSS:5.3

Node.js could allow a remote attacker to bypass security restrictions, caused by the circumvention of integrity checks by the policy feature. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the experimental permission model.

CVE-2023-39332 CVSS:7.5

Node.js could allow a remote attacker to bypass security restrictions, caused by a path traversal bypass using non-Buffer Uint8Array objects. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the experimental permission model.

CVE-2023-39331 CVSS:7.5

Node.js could allow a remote attacker to bypass security restrictions, caused by a path traversal bypass when verifying file permissions. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the experimental permission model.

Impact

• Gain Access
• Security Bypass

Indicators Of Compromise

CVE

• CVE-2023-39333
• CVE-2023-38552
• CVE-2023-39332
• CVE-2023-39331

Affected Vendors

Node.js

Affected Products

• Node.js 18.0
• Node.js 20.0

Remediation

Refer to Node.js Blog for patch, upgrade or suggested workaround information.

Node.js Blog