Bugzilla – Bug 1216271
VUL-0: CVE-2023-39332: nodejs: Path traversal through path stored in Uint8Array
Last modified: 2024-05-30 18:52:43 UTC
Various node:fs functions allow specifying paths as either strings or Uint8Array objects. In Node.js environments, the Buffer class extends the Uint8Array class. Node.js prevents path traversal through strings (see CVE-2023-30584) and Buffer objects (see CVE-2023-32004), but not through non-Buffer Uint8Array objects. This is distinct from CVE-2023-32004 (report 2038134), which only referred to Buffer objects. However, the vulnerability follows the same pattern using Uint8Array instead of Buffer. Impacts: This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE is issued, the permission model is an experimental feature of Node.js. Thanks to Tobias Nießen who reported and created the security patch. References: https://nodejs.org/en/blog/vulnerability/october-2023-security-releases
This is an autogenerated message for OBS integration: This bug (1216271) was mentioned in https://build.opensuse.org/request/show/1118025 Factory / nodejs20
Upstream claims this affects only Node 20. Electron uses Node 18. Removing myself from cc.
Done, closing.