Login Sign Up

CVE-2023-30585

7.5 HIGH
Path Traversal

📋 TL;DR

This vulnerability allows unprivileged Windows users to manipulate the %USERPROFILE% registry variable during Node.js MSI installer repair operations, tricking the system-level msiexec.exe process into creating arbitrary folders in unintended locations. Only affects Windows users who installed Node.js using the .msi installer. Other installation methods and operating systems are not vulnerable.

💻 Affected Systems

Products:
  • Node.js
Versions: All versions installed via .msi installer on Windows prior to June 2023 security releases
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows installations using the .msi installer. ZIP package, nvm, or other installation methods are not vulnerable.

📦 What is this software?

Node.js by Nodejs

View all CVEs affecting Node.js →

Node.js by Nodejs

View all CVEs affecting Node.js →

Node.js by Nodejs

View all CVEs affecting Node.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privilege escalation where an attacker creates folders in system directories, potentially enabling further exploitation like DLL planting or path traversal attacks.

🟠

Likely Case

Local attackers creating folders in sensitive locations for persistence or preparing for future attacks.

🟢

If Mitigated

Minimal impact if proper access controls prevent registry modification or if Node.js repair operations are restricted.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access to the system.
🏢 Internal Only: MEDIUM - Internal users with standard privileges could exploit this to gain elevated access on affected Windows systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access and ability to modify registry keys. Exploitation depends on triggering Node.js repair operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Node.js versions released in June 2023 security updates

Vendor Advisory: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases

Restart Required: No

Instructions:

1. Download latest Node.js version from official website 2. Run installer to update 3. Verify installation with 'node --version'

🔧 Temporary Workarounds

Restrict registry permissions

windows

Prevent standard users from modifying %USERPROFILE% registry key

regedit -> HKEY_CURRENT_USER\Environment -> Right-click -> Permissions -> Remove write access for non-admin users

Use alternative installation method

windows

Switch to Node.js installation via ZIP package or nvm

Download ZIP from nodejs.org and extract to desired location

🧯 If You Can't Patch

  • Restrict standard user permissions to modify HKEY_CURRENT_USER\Environment registry key
  • Monitor for unexpected folder creation in system directories

🔍 How to Verify

Check if Vulnerable:

Check if Node.js was installed via .msi installer on Windows and version predates June 2023 releases

Check Version:

node --version

Verify Fix Applied:

Verify Node.js version is from June 2023 or later: node --version should show v18.16.1+, v20.3.1+, or v16.20.1+

📡 Detection & Monitoring

Log Indicators:

  • Windows Event Logs showing msiexec.exe creating unexpected folders
  • Registry modification events for HKEY_CURRENT_USER\Environment

Network Indicators:

  • None - local exploitation only

SIEM Query:

EventID=4657 OR EventID=4663 where TargetObject contains 'HKEY_CURRENT_USER\Environment' OR ProcessName='msiexec.exe' creating folders in unusual locations

📊 Metadata

CVE ID: CVE-2023-30585
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Published: November 28, 2023
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON