CVE-2023-32003 - Bypassing the Node.js Permission Model using Path Traversal Attack in fs.mkdtemp() and fs.mkdtempSync()

In this long-read post, we'll analyze the CVE-2023-32003, which concerns a critical vulnerability present in the fs.mkdtemp() and fs.mkdtempSync() methods of the Node.js filesystem (fs) module. The vulnerability can be exploited using a path traversal attack, allowing a malicious actor to bypass the permission model check and create arbitrary directories within the filesystem. This is due to a missing check in the fs.mkdtemp() API. The vulnerability affects all Node.js 20 users utilizing the experimental permission model.

Exploit Details

The fs.mkdtemp() and fs.mkdtempSync() methods create unique temporary directories on a filesystem. Typically, these temporary directories have strict permission settings that prevent unauthorized access. However, the vulnerability under consideration stems from an oversight in the implementation of these methods, which allows a malicious party to bypass the permission model check and execute path traversal attacks.

A simple demonstration of the malicious code exploiting the vulnerability

const fs = require('fs');

fs.mkdtemp('../../path/to/target/folder', (err, folder) => {
  if (err) throw err;
  console.log(Created directory: ${folder});
});

By using a path traversal pattern (e.g., '../../path/to/target/folder') as an argument to the fs.mkdtemp() method, the attacker can create arbitrary directories within the target folder, potentially resulting in unauthorized access, file manipulations, and other security risks.

References & Documentation

The official documentation for the fs.mkdtemp() and fs.mkdtempSync() methods can be found in the Node.js documentation, linked below:

- fs.mkdtemp(): https://nodejs.org/api/fs.html#fsmkdtempprefix-options-callback
- fs.mkdtempSync(): https://nodejs.org/api/fs.html#fsmkdtempsyncprefix-options

More information regarding the experimental permission model used in Node.js can also be found in its official documentation:

- Node.js Permission Model: https://nodejs.org/api/all.html#process_process_setgroups_groups

Node.js developers are recommended to apply any subsequent patch or update provided by the Node.js team addressing this vulnerability. Until a patch is made available, developers may opt to perform additional input validation on the parameters passed to the fs.mkdtemp() and fs.mkdtempSync() methods as a conditional mitigation against potential path traversal attacks.

Conclusion

The vulnerability represented by the CVE-2023-32003 has potential severe security implications for applications using the experimental permission model in Node.js 20, and allows bypassing the permission model check using a path traversal attack. Developers should pay close attention to the information and resources provided in this post, apply any fixes as they become available from the Node.js team, and remain vigilant of further updates related to the issue under discussion.

Timeline

Published on: 08/15/2023 16:15:00 UTC
Last modified on: 08/22/2023 01:55:00 UTC