(CVE-2023-32004) Permission model bypass by specifying a path traversal sequence in a Buffer
High
I
Internet Bug Bounty
Submitted None
Team Summary
Official summary from Internet Bug Bounty
###Permission model bypass by specifying a path traversal sequence in a Buffer (HIGH)(CVE-2023-32004) A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. Impacts: This vulnerability affects all users using the experimental permission model in Node.js 20.
Actions:
Reported by
haxatron1
Vulnerability Details
Technical details and impact analysis
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permission-model-bypass-by-specifying-a-path-traversal-sequence-in-a-buffer-highcve-2023-32004
https://hackerone.com/reports/2038134
Also, patch was provided in the report and matched https://github.com/nodejs/node/commit/1f64147eb607f82060e08884f993597774c69280 (excluding tests).
## Impact
see reports.
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Path Traversal