Login Sign Up

CVE-2023-39332

9.8 CRITICAL
Path Traversal

📋 TL;DR

This vulnerability allows path traversal attacks in Node.js when using non-Buffer Uint8Array objects with fs module functions. Attackers can potentially access files outside intended directories. It affects Node.js applications using the experimental permission model with Uint8Array path inputs.

💻 Affected Systems

Products:
  • Node.js
Versions: Node.js 20.x versions before 20.8.0, Node.js 18.x versions before 18.18.1
Operating Systems: All platforms running affected Node.js versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using the experimental permission model with Uint8Array path inputs to fs module functions.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Node.js by Nodejs

View all CVEs affecting Node.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary file read/write leading to remote code execution, data exfiltration, or privilege escalation.

🟠

Likely Case

Unauthorized file access allowing reading of sensitive configuration files, source code, or credentials stored on the server.

🟢

If Mitigated

Limited impact due to proper input validation, sandboxing, or if the experimental permission model is not enabled.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the application to accept Uint8Array path inputs and have the permission model enabled. The vulnerability pattern is similar to previously patched Buffer-based path traversal issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Node.js 20.8.0, Node.js 18.18.1

Vendor Advisory: https://nodejs.org/en/blog/vulnerability/october-2023-security-releases

Restart Required: Yes

Instructions:

1. Update Node.js to version 20.8.0 or 18.18.1 or later. 2. Restart all Node.js applications and services. 3. Verify the update with 'node --version'.

🔧 Temporary Workarounds

Disable permission model

all

Disable the experimental permission model if not required

Remove --experimental-permission flag from startup commands

Input validation

all

Validate all path inputs to ensure they are strings or Buffer objects only

🧯 If You Can't Patch

  • Implement strict input validation to reject Uint8Array path inputs
  • Use application-level path sanitization and restrict file system access

🔍 How to Verify

Check if Vulnerable:

Check if Node.js version is below 20.8.0 (for v20) or below 18.18.1 (for v18) and the application uses Uint8Array paths with fs module functions.

Check Version:

node --version

Verify Fix Applied:

Confirm Node.js version is 20.8.0+ or 18.18.1+ and test that Uint8Array path inputs are properly validated.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected file access patterns
  • Permission model errors with Uint8Array paths
  • Failed path resolution attempts

Network Indicators:

  • Unusual file read patterns from application endpoints

SIEM Query:

Search for Node.js permission model errors or unexpected fs module access patterns

📊 Metadata

CVE ID: CVE-2023-39332
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: October 18, 2023
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39332, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)