The use of the deprecated API `process.binding()` can bypass the permission model through path traversal.
This vulnerability affects all users using the experimental permission model in Node.js 20.x.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
References
Link | Resource |
---|---|
https://hackerone.com/reports/2051257 | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: hackerone
Published: 2023-09-12T01:36:55.861Z
Updated: 2023-09-12T01:36:55.861Z
Reserved: 2023-05-10T01:00:12.523Z
Link: CVE-2023-32558
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-09-12T02:15:12.067
Modified: 2023-12-04T14:57:36.603
Link: CVE-2023-32558
JSON object: View
Redhat Information
No data.
CWE