CVE-2023-30587

HIGH

Node.js < 20.3.1 - Permission Model Bypass via Inspector Worker Manipulation

Title source: llm

Description

A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector). By exploiting the Worker class's ability to create an "internal worker" with the kIsInternal Symbol, attackers can modify the isInternal value when an inspector is attached within the Worker constructor before initializing a new WorkerImpl. This vulnerability exclusively affects Node.js users employing the permission model mechanism. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

References (2)

Core 2

Core References

Various Sources

https://nodejs.org/en/blog/vulnerability/june-2023-security-releases

Vendor Advisory

https://security.netapp.com/advisory/ntap-20241108-0004/

Scores

CVSS v3 7.5

EPSS 0.0001

EPSS Percentile 2.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (15)

NodeJS/Node 10.0 - 10.*

NodeJS/Node 11.0 - 11.*

NodeJS/Node 12.0 - 12.*

NodeJS/Node 13.0 - 13.*

NodeJS/Node 14.0 - 14.*

NodeJS/Node 15.0 - 15.*

NodeJS/Node 17.0 - 17.*

NodeJS/Node 19.0 - 19.*

NodeJS/Node 20.0 - 20.3.1

NodeJS/Node 4.0 - 4.*

... and 5 more

Published Sep 07, 2024

Tracked Since Feb 18, 2026