CVE-2023-32558
HIGHNode.js 20.0.0-20.5.1 - Permission Model Bypass via process.binding() Path Traversal
Title source: llmDescription
The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://hackerone.com/reports/2051257
Vendor Advisory
https://security.netapp.com/advisory/ntap-20241025-0003/
Scores
CVSS v3
7.5
EPSS
0.0019
EPSS Percentile
40.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-22
Status
published
Products (1)
nodejs/node.js
20.0.0 - 20.5.1
Published
Sep 12, 2023
Tracked Since
Feb 18, 2026