CVE-2023-30583

HIGH

Node.js < 20.3.1 - Permission Model Bypass via fs.openAsBlob()

Title source: llm

Description

fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

References (2)

Core 2

Core References

Various Sources

https://nodejs.org/en/blog/vulnerability/june-2023-security-releases

Vendor Advisory

https://security.netapp.com/advisory/ntap-20240926-0006/

Scores

CVSS v3 7.5

EPSS 0.0002

EPSS Percentile 6.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (15)

NodeJS/Node 10.0 - 10.*

NodeJS/Node 11.0 - 11.*

NodeJS/Node 12.0 - 12.*

NodeJS/Node 13.0 - 13.*

NodeJS/Node 14.0 - 14.*

NodeJS/Node 15.0 - 15.*

NodeJS/Node 17.0 - 17.*

NodeJS/Node 19.0 - 19.*

NodeJS/Node 20.0 - 20.3.1

NodeJS/Node 4.0 - 4.*

... and 5 more

Published Sep 07, 2024

Tracked Since Feb 18, 2026