CVE-2023-23920: Untrusted Search Path Vulnerability in Node.js Affecting ICU Data Loading Security

Node.js users, it has come to our attention that an untrusted search path vulnerability (designated as CVE-2023-23920) exists in the following affected versions of Node.js: <19.6.1, <18.14.1, <16.19.1, and <14.21.3. The security issue allows an attacker to search and potentially load International Components for Unicode (ICU) data when running with elevated privileges. Users are advised to take immediate action to protect their Node.js applications by updating to a secure version of Node.js.

Vulnerability Description

The untrusted search path vulnerability CVE-2023-23920 in Node.js arises from the affected versions potentially loading ICU data files from an insecure search path, thereby allowing an attacker to load malicious ICU data files. Applications running Node.js with elevated privileges are at heightened risk, and the vulnerability primarily exposes Node.js applications to risk when searching for and loading ICU data.

Code Snippet

Consider a scenario where an application is running Node.js version 18.. and attempts to load ICU data. The problem arises from the use of an insecure search path:

// Node.js 18.. - application running with elevated privileges
const fs = require(...);
const icuData = fs.readFile('path/to/insecure/directory'); // Vulnerability: Untrusted search path

icuData.then(data => {
  // ... use ICU data ...
}).catch(err => {
  console.error("Error loading ICU data:", err);
});

Original References and Security Announcements

1. Node.js Official Security Announcement: Node.js Security Releases
2. CVE-2023-23920: National Vulnerability Database (NVD) Entry

Solution

Users are advised to update their Node.js installations to the following secure versions that contain patches addressing this vulnerability:

Node.js 14.21.3 or later

To perform the update, simply use your preferred package manager (e.g., npm or yarn) and enter the following commands:

# Update to latest Node.js version
npm install -g n
n latest

# Or, update to specific Node.js version
n 19.6.1

After updating to a secure version of Node.js, it is essential to review your applications to ensure that all insecure search paths have been removed and replaced with secure search paths.

Conclusion

It is crucial for Node.js users running applications with elevated privileges to secure their environments against the untrusted search path vulnerability. Be sure to apply the recommended update to the latest or a specific patched version of Node.js to ensure the safety of your applications from malicious ICU data files.

Always keep your Node.js installation updated and follow security best practices to prevent potential vulnerabilities from being exploited. Stay safe, and happy coding!

Timeline

Published on: 02/23/2023 20:15:00 UTC
Last modified on: 03/16/2023 16:15:00 UTC