What is CVE-2023-30590?

CVE-2023-30590 is a vulnerability that affects the generateKeys() API function returned from crypto.createDiffieHellman() in Node.js.

How does CVE-2023-30590 impact Node.js?

CVE-2023-30590 allows an attacker to generate missing or outdated keys in Node.js, potentially compromising the security of cryptographic operations.

What is the severity of CVE-2023-30590?

CVE-2023-30590 has a severity rating of high, with a score of 7.5.

Which versions of Node.js are affected by CVE-2023-30590?

CVE-2023-30590 affects Node.js versions 16.0.0 to 16.20.1, 18.0.0 to 18.16.1, and 20.0.0 to 20.3.1.

How can I fix CVE-2023-30590?

To fix CVE-2023-30590, update your Node.js installation to a version that includes the security patch provided by the Node.js team.

Vulnerability/
CVE-2023-30590

high

7.5

5/7/2023

28/11/2023

27/3/2024

CVE-2023-30590

First published: Wed Jul 05 2023(Updated: )

Node.js could provide weaker than expected security, caused by the failure to generate keys after setting a private key by the generateKeys() API function. By sending a specially crafted request, an attacker could exploit this vulnerability to launch further attacks on the system.

Credit: support@hackerone.com support@hackerone.com

Affected Software	Affected Version	How to fix
IBM Planning Analytics	<=2.0
Nodejs Node.js	>=16.0.0<16.20.1
Nodejs Node.js	>=18.0.0<18.16.1
Nodejs Node.js	>=20.0.0<20.3.1
ubuntu/nodejs	<8.10.0~dfsg-2ubuntu0.4+	8.10.0~dfsg-2ubuntu0.4+
ubuntu/nodejs	<10.19.0~dfsg-3ubuntu1.6	10.19.0~dfsg-3ubuntu1.6
ubuntu/nodejs	<12.22.9~dfsg-1ubuntu3.5	12.22.9~dfsg-1ubuntu3.5
ubuntu/nodejs	<18.13.0+dfsg1-1ubuntu2.2	18.13.0+dfsg1-1ubuntu2.2
ubuntu/nodejs	<0.10.25~dfsg2-2ubuntu1.2+	0.10.25~dfsg2-2ubuntu1.2+
ubuntu/nodejs	<4.2.6~dfsg-1ubuntu4.2+	4.2.6~dfsg-1ubuntu4.2+
debian/nodejs	<=10.24.0~dfsg-1~deb10u1<=12.22.12~dfsg-1~deb11u4<=18.13.0+dfsg1-1	10.24.0~dfsg-1~deb10u4 18.19.0+dfsg-6~deb12u1 18.20.1+dfsg-4 20.13.1+dfsg-1

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2023-30590?
CVE-2023-30590 is a vulnerability that affects the generateKeys() API function returned from crypto.createDiffieHellman() in Node.js.
How does CVE-2023-30590 impact Node.js?
CVE-2023-30590 allows an attacker to generate missing or outdated keys in Node.js, potentially compromising the security of cryptographic operations.
What is the severity of CVE-2023-30590?
CVE-2023-30590 has a severity rating of high, with a score of 7.5.
Which versions of Node.js are affected by CVE-2023-30590?
CVE-2023-30590 affects Node.js versions 16.0.0 to 16.20.1, 18.0.0 to 18.16.1, and 20.0.0 to 20.3.1.
How can I fix CVE-2023-30590?
To fix CVE-2023-30590, update your Node.js installation to a version that includes the security patch provided by the Node.js team.

agent/type
agent/first-publish-date
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2023-30590
collector/ibm-support
source/IBM
agent/software-canonical-lookup
agent/severity
agent/author
collector/mitre-cve
source/MITRE
collector/nvd-api
source/NVD
agent/last-modified-date
collector/usn-cve
source/Ubuntu
agent/references
agent/softwarecombine
agent/tags
agent/description
agent/event
collector/launchpad-cve
source/Launchpad
collector/security-tracker-debian
source/Debian
collector/nvd-cve
vendor/ibm
canonical/ibm planning analytics
version/ibm planning analytics/2.0
vendor/nodejs
canonical/nodejs node.js
version/nodejs node.js/16.0.0
version/nodejs node.js/18.0.0
version/nodejs node.js/20.0.0
package-manager/ubuntu
package-manager/debian