CVE-2023-32558

Advisory lineage Upstream: 0 Downstream: 1
Modified
Published: 12 Sept 2023, 01:36
Last modified:30 Apr 2025, 22:25

Vulnerability Summary

Overall Risk (default)
medium
40/100
CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
0.19% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

12 Sept 2023, 01:36
Published
Vulnerability first disclosed
30 Apr 2025, 22:25
Last Modified
Vulnerability information updated

Description

The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

CVSS Metrics

  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Trends

Current EPSS score: 0.19% Percentile: 41%

Techniques & Countermeasures

  • CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

    The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Affected Systems

  • nodejsnode

    ≥ 4.0, < 4.* | ≥ 5.0, < 5.* | ≥ 6.0, < 6.* | ≥ 7.0, < 7.* | ≥ 8.0, < 8.* | ≥ 9.0, < 9.* | ≥ 10.0, < 10.* | ≥ 11.0, < 11.* | ≥ 12.0, < 12.* | ≥ 13.0, < 13.* | ≥ 14.0, < 14.* | ≥ 15.0, < 15.* | ≥ 17.0, < 17.* | ≥ 19.0, < 19.* | ≥ 20.0, < 20.5.1

  • nodejsnode.js

    ≥ 20.0.0, < 20.5.1

References (2)