First published: Tue Aug 15 2023(Updated: )
Node.js could allow a remote attacker to bypass security restrictions, caused by a missing getValidatedPath() check in the fs.mkdtemp() and fs.mkdtempSync() APIs. By using a path traversal attack, an attacker could exploit this vulnerability to bypass the permission model check and create an arbitrary directory.
Credit: support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
Nodejs Node.js | >=20.0.0<=20.5.0 | |
Fedoraproject Fedora | =37 | |
Fedoraproject Fedora | =38 | |
<=2.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this vulnerability is CVE-2023-32003.
The title of this vulnerability is 'fs.mkdtemp() and fs.mkdtempSync() can be used to bypass the permission model check using a path traversal attack.'
This vulnerability can be exploited by using a path traversal attack to bypass the permission model check in the fs.mkdtemp() API.
This vulnerability affects Node.js versions 20.0.0 to 20.5.0 and Fedora versions 37 and 38.
The severity of this vulnerability is medium, with a CVSS score of 5.3.