###fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks (LOW)(CVE-2023-32003) fs.mkdtemp() and fs.mkdtempSync() can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. Impacts: This vulnerability affects all users using the experimental permission model in Node.js 20.

Actions:

View on HackerOne

Reported by haxatron1

Vulnerability Details

Technical details and impact analysis

https://hackerone.com/reports/2037887 https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#fsmkdtemp-and-fsmkdtempsync-are-missing-getvalidatedpath-checks-lowcve-2023-32003 Patch was provided. ## Impact See reports

Report Details

Additional information and metadata

State

Closed

Substate

Resolved