fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Metrics
Affected Vendors & Products
References
History
Fri, 22 Nov 2024 12:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Mon, 09 Sep 2024 19:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Nodejs
Nodejs nodejs |
|
Weaknesses | CWE-284 | |
CPEs | cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:* | |
Vendors & Products |
Nodejs
Nodejs nodejs |
|
Metrics |
cvssV3_1
|
ssvc
|
Sat, 07 Sep 2024 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A vulnerability has been identified in Node.js version 20, where fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the --allow-fs-read flag in Node.js 20. This flaw arises from a missing check in the fs.openAsBlob() API. | fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. |
References |
|
MITRE
Status: PUBLISHED
Assigner: hackerone
Published: 2024-09-07T16:00:35.918Z
Updated: 2024-09-26T15:03:04.235Z
Reserved: 2023-04-13T01:00:12.085Z
Link: CVE-2023-30583
Vulnrichment
Updated: 2024-09-26T15:03:04.235Z
NVD
Status : Awaiting Analysis
Published: 2024-09-07T16:15:02.117
Modified: 2024-11-21T08:00:27.697
Link: CVE-2023-30583
Redhat