CVE-2023-30584

Advisory lineage Upstream: 0 Downstream: 2
Deferred
Published: 07 Sept 2024, 16:00
Last modified:30 Apr 2025, 22:24

Vulnerability Summary

Overall Risk (default)
medium
31/100
CVSS Score
7.7 HIGH
v3.1 (cve.org)
EPSS Score
0.01% LOW
0% probability -0.01%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

07 Sept 2024, 16:00
Published
Vulnerability first disclosed
30 Apr 2025, 22:24
Last Modified
Vulnerability information updated

Description

A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

CVSS Metrics

  • v3.1HIGHScore: 7.7CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Trends

Current EPSS score: 0.01% Percentile: 2%

Techniques & Countermeasures

  • CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

    The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Affected Systems

  • nodejsnode

    ≥ 4.0, < 4.* | ≥ 5.0, < 5.* | ≥ 6.0, < 6.* | ≥ 7.0, < 7.* | ≥ 8.0, < 8.* | ≥ 9.0, < 9.* | ≥ 10.0, < 10.* | ≥ 11.0, < 11.* | ≥ 12.0, < 12.* | ≥ 13.0, < 13.* | ≥ 14.0, < 14.* | ≥ 15.0, < 15.* | ≥ 17.0, < 17.* | ≥ 19.0, < 19.* | ≥ 20.0, < 20.3.1

References (2)