CVE-2023-30582

MEDIUM

Node.js 20 < 20.3.1 - Unauthorized File Monitoring via fs.watchFile API

Title source: llm

Description

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious actors can monitor files that they do not have explicit read access to. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

References (2)

Core 2

Core References

Various Sources

https://nodejs.org/en/blog/vulnerability/june-2023-security-releases

Vendor Advisory

https://security.netapp.com/advisory/ntap-20240926-0007/

Scores

CVSS v3 5.3

EPSS 0.0010

EPSS Percentile 26.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (15)

NodeJS/Node 10.0 - 10.*

NodeJS/Node 11.0 - 11.*

NodeJS/Node 12.0 - 12.*

NodeJS/Node 13.0 - 13.*

NodeJS/Node 14.0 - 14.*

NodeJS/Node 15.0 - 15.*

NodeJS/Node 17.0 - 17.*

NodeJS/Node 19.0 - 19.*

NodeJS/Node 20.0 - 20.3.1

NodeJS/Node 4.0 - 4.*

... and 5 more

Published Sep 07, 2024

Tracked Since Feb 18, 2026