1. Home
  2. Vulnerabilities
  3. CVE-2023-32558

CVE-2023-32558

CVSS v3.1 7.5 (High)
75% Progress
EPSS 0.07 % (31th)
0.07% Progress
Affected Products 1
Advisories 3
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

The use of the deprecated API process.binding() can bypass the permission model through path traversal.

This vulnerability affects all users using the experimental permission model in Node.js 20.x.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Weaknesses
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE Status
PUBLISHED
CNA
HackerOne
Published Date
2023-09-12 02:15:12
(12 months ago)
Updated Date
2023-12-04 14:57:36
(9 months ago)

Affected Products

Nodejs

Configuration #1

    CPE23 From Up To
  Nodejs Node.js from 20.0.0 version and prior 20.5.1 version cpe:2.3:a:nodejs:node.js::*:*:*:- >= 20.0.0 < 20.5.1