CVE-2023-30588

CVSS v3.1 5.3 (Medium)

EPSS 0.07 % (31^th)

Affected Products 1

Advisories 24

NVD Status Modified

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20.

Weaknesses

CWE-NVD-noinfo

CVE Status: PUBLISHED
NVD Status: Modified
CNA: HackerOne
Published Date: 2023-11-28 20:15:07
(9 months ago)
Updated Date: 2024-06-21 19:15:26
(2 months ago)

Affected Products

Nodejs

Node.js

Configuration #1

	CPE23	From	Up To
Nodejs Node.js from 16.0.0 version and prior 16.20.1 version	cpe:2.3:a:nodejs:node.js	>= 16.0.0	< 16.20.1
Nodejs Node.js from 18.0.0 version and prior 18.16.1 version	cpe:2.3:a:nodejs:node.js	>= 18.0.0	< 18.16.1
Nodejs Node.js from 20.0.0 version and prior 20.3.1 version	cpe:2.3:a:nodejs:node.js	>= 20.0.0	< 20.3.1