---
A new security vulnerability, indexed as CVE-2023-30582, has been discovered in Node.js version 20. This vulnerability affects users who opt for the experimental permission model when employing the --allow-fs-read flag with a non-* argument. Essentially, this flaw originates from an insufficient permission model that does not properly restrict file watching through the fs.watchFile API. Consequently, this leaves room for malicious actors who can potentially monitor files without requiring explicit read access.

As a reminder, when this CVE was issued, the permission model was still an experimental feature in Node.js.

Original CVE and references

Vulnerability announcement from Node.js security mailing list

Code Snippet: Demonstrating the Flaw

---
Using the experimental permission model in Node.js 20 with the --allow-fs-read flag, the following code snippet shows how the permission model is bypassed using the fs.watchFile API:

const fs = require('fs');

// Example: watch a file that does not have explicit read permission
fs.watchFile('/path/to/sensitive-file', (curr, prev) => {
  console.log(File ${path} changed from ${prev.mtime} to ${curr.mtime});
});

Exploiting the Vulnerability

---
An attacker who can execute arbitrary JavaScript code within the affected Node.js environment can use the fs.watchFile API to monitor the changes in files that they do not have explicit read access to. This can lead to unauthorized disclosure of sensitive information, which, in turn, can pave the way for further attacks.

Seemingly trivial, this vulnerability can have severe implications for application security—especially concerning permissions and confidential data.

Mitigation and Resolution

---

Conclusion

---
CVE-2023-30582 is a serious vulnerability in the experimental permission model of Node.js version 20. The developers behind Node.js are working tirelessly to address this issue, and it is expected that an update or patch will be released soon. In the meantime, users must exercise caution and follow suggested mitigations to prevent harm.

It is highly recommended to keep an eye on the official updates and patches for Node.js, ensuring timely resolutions of security vulnerabilities.

Timeline

Published on: 09/07/2024 16:15:02 UTC
Last modified on: 09/09/2024 19:35:01 UTC