CVE-2023-43800

HIGH

Arduino Create Agent <1.3.3 - Privilege Escalation

Title source: llm

Description

Arduino Create Agent is a package to help manage Arduino development. The vulnerability affects the endpoint `/v2/pkgs/tools/installed`. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this issue.

References (3)

[Vendor Advisory] https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-4x5q-q7wc-q22p

[Release Notes] https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3

[Various Sources] https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide

Scores

CVSS v3 7.3

EPSS 0.0003

EPSS Percentile 8.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-345

Status published

Products (2)

arduino/arduino-create-agent 0 - 1.3.3Go

arduino/create_agent < 1.3.3

Published Oct 18, 2023

Tracked Since Feb 18, 2026