CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
98.4%
Updates are now available for the v18.x and v20.x Node.js release lines for the following issues.
Undici did not always clear Cookie headers on cross-origin redirects. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici’s implementation of fetch.
As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.
More details area available in GHSA-wqq4-5wpv-mx2g
Rapidly creating and cancelling streams (HEADERS
frame immediately followed by RST_STREAM
) without bound causes denial of service. See <https://vulners.com/cve/CVE-2023-44487> for details.
Impacts:
A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations.
Impacts:
Please note that at the time this CVE is issued, the permission model is an experimental feature of Node.js.
Thanks to Tobias Nießen who reported and created the security patch.
Various node:fs
functions allow specifying paths as either strings or Uint8Array
objects. In Node.js environments, the Buffer
class extends the Uint8Array
class. Node.js prevents path traversal through strings (see CVE-2023-30584) and Buffer
objects (see CVE-2023-32004), but not through non-Buffer
Uint8Array
objects.
This is distinct from CVE-2023-32004 (report 2038134), which only referred to Buffer
objects. However, the vulnerability follows the same pattern using Uint8Array
instead of Buffer
.
Impacts:
Please note that at the time this CVE is issued, the permission model is an experimental feature of Node.js.
Thanks to Tobias Nießen who reported and created the security patch.
When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to node’s policy implementation, thus effectively disabling the integrity check.
Impacts:
Please note that at the time this CVE is issued, the policy mechanism is an experimental feature of Node.js.
Thanks to Tobias Nießen who reported and created the security patch.
Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module.
Impacts:
--experimental-wasm-modules
command line option in all active release lines 18.x and 20.x.Thanks to dittyroma for reporting the issue and to Tobias Nießen for fixing it.
The Node.js project will release new versions of the 18.x and 20.x releases lines on or shortly after, Friday October 13 2023 in order to address:
All the active release lines are affected by undici and nghttp2 security patches, which are rated as high severity issues.
In addition, the 20.x release line of Node.js is vulnerable to 2 high severity issues, 1 medium severity issue, and 1 low severity issue.
In addition, the 18.x release line of Node.js is vulnerable to 1 medium severity issue, and 1 low severity issue.
Releases will be available on, or shortly after, Friday October 13 2023.
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
98.4%