CVE-2023-30587

EUVD-2023-34968

07.09.2024, 16:15

A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector).

By exploiting the Worker class's ability to create an "internal worker" with the kIsInternal Symbol, attackers can modify the isInternal value when an inspector is attached within the Worker constructor before initializing a new WorkerImpl. This vulnerability exclusively affects Node.js users employing the permission model mechanism.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA-ADP	ADP	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Affected Products (NVD)

Vendor	Product	Version
nodejs	nodejs	20.3.1 < 𝑥 < 20.3.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

nodejs

bookworm	18.19.0+dfsg-6~deb12u2 fixed
bookworm (security)	18.19.0+dfsg-6~deb12u1 fixed
bullseye	12.22.12~dfsg-1~deb11u4 fixed
bullseye (security)	12.22.12~dfsg-1~deb11u5 fixed
sid	20.18.1+dfsg-1 fixed
trixie	20.18.1+dfsg-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

nodejs

bionic	not-affected
focal	not-affected
jammy	not-affected
kinetic	ignored
lunar	ignored
mantic	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

Common Weakness Enumeration

CWE-284 - Improper Access Control
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References

https://nodejs.org/en/blog/vulnerability/june-2023-security-releases

https://security.netapp.com/advisory/ntap-20241108-0004/