First published: Tue Aug 15 2023(Updated: )
`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory. This vulnerability affects all users using the experimental permission model in Node.js 20. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Credit: support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
Nodejs Node.js | >=20.0.0<=20.5.0 | |
Fedoraproject Fedora | =37 | |
Fedoraproject Fedora | =38 | |
<=2.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this vulnerability is CVE-2023-32003.
The title of this vulnerability is 'fs.mkdtemp() and fs.mkdtempSync() can be used to bypass the permission model check using a path traversal attack.'
This vulnerability can be exploited by using a path traversal attack to bypass the permission model check in the fs.mkdtemp() API.
This vulnerability affects Node.js versions 20.0.0 to 20.5.0 and Fedora versions 37 and 38.
The severity of this vulnerability is medium, with a CVSS score of 5.3.