CVE-2023-32004 – This CVE describes a path traversal vulnerabili... (How to Fix)

Q: What is the severity of CVE-2023-32004?

CVE-2023-32004 has a CVSS score of 8.8 (HIGH). This CVE describes a path traversal vulnerability in Node.js 20's experimental permission model where improper Buffer handling in file system APIs allows bypassing file permission checks. Attackers could potentially read, write, or delete files outside permitted directories. Only affects users who have explicitly enabled the experimental permission model in Node.js 20.

📋 TL;DR

This CVE describes a path traversal vulnerability in Node.js 20's experimental permission model where improper Buffer handling in file system APIs allows bypassing file permission checks. Attackers could potentially read, write, or delete files outside permitted directories. Only affects users who have explicitly enabled the experimental permission model in Node.js 20.

💻 Affected Systems

Products:

Node.js

Versions: Version 20.x (specifically with experimental permission model enabled)

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when the experimental permission model is explicitly enabled via --experimental-permission flag; this feature is disabled by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete file system compromise allowing arbitrary file read/write/delete operations, potentially leading to data theft, system takeover, or service disruption.

🟠

Likely Case

Unauthorized access to sensitive files outside permitted directories, potentially exposing configuration files, credentials, or application data.

🟢

If Mitigated

Limited impact since the permission model is experimental and must be explicitly enabled; proper file system permissions and isolation would further reduce risk.

🌐 Internet-Facing: MEDIUM - Web applications using Node.js 20 with experimental permissions enabled could be exploited to access server files, but requires specific configuration.

🏢 Internal Only: LOW - Internal systems are less likely to have experimental features enabled in production; standard security controls would limit impact.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in HackerOne report; exploitation requires application to process malicious input through vulnerable file system APIs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Node.js 20.5.1 and later

Vendor Advisory: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases

Restart Required: Yes

Instructions:

1. Update Node.js to version 20.5.1 or later. 2. For Linux: Use package manager (apt-get update && apt-get upgrade nodejs). 3. For Windows: Download installer from nodejs.org. 4. For manual install: Download from nodejs.org and replace existing installation. 5. Restart all Node.js applications.

🔧 Temporary Workarounds

Disable Experimental Permission Model

all

Remove --experimental-permission flag from Node.js startup commands

Remove any --experimental-permission flags from application startup scripts, package.json scripts, or systemd service files

Restrict File System Access

linux

Implement additional file system permission controls at OS level

chmod 750 /path/to/application
setfacl -m u:nodeuser:rx /path/to/application

🧯 If You Can't Patch

Disable the experimental permission model immediately by removing --experimental-permission flags
Implement strict input validation and sanitization for all file path inputs in applications

🔍 How to Verify

Check if Vulnerable:

Check if Node.js version is 20.x and experimental permission model is enabled: node --version && check for --experimental-permission in startup commands

Check Version:

node --version

Verify Fix Applied:

Verify Node.js version is 20.5.1 or later: node --version should show v20.5.1 or higher

📡 Detection & Monitoring

Log Indicators:

Unexpected file access patterns
Permission denied errors for files that should be accessible
File system API calls with unusual paths

Network Indicators:

Unusual file download patterns from application
Requests containing path traversal sequences (../)

SIEM Query:

source="nodejs" AND (message="*permission*" OR message="*ENOENT*" OR message="*EACCES*") AND path="*../*"

📊 Metadata

CVE ID: CVE-2023-32004

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: August 15, 2023

Last Updated: May 8, 2025

🔗 References

https://hackerone.com/reports/2038134 Issue Tracking
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQPELKG2LVTADSB7ME73AV4DXQK47PWK/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBOZE2QZIBLFFTYWYN23FGKN6HULZ6HX/ Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20230915-0009/
https://hackerone.com/reports/2038134 Issue Tracking
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQPELKG2LVTADSB7ME73AV4DXQK47PWK/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBOZE2QZIBLFFTYWYN23FGKN6HULZ6HX/ Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20230915-0009/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-32004, you might also want to check these: