CVE-2023-45311 – This CVE describes a supply chain vulnerability... (How to Fix)

Q: What is the severity of CVE-2023-45311?

CVE-2023-45311 has a CVSS score of 9.8 (CRITICAL). This CVE describes a supply chain vulnerability in fsevents where versions before 1.2.11 fetched binaries from an external URL that could be compromised. If an adversary controlled that URL, they could distribute malicious binaries leading to arbitrary code execution in projects depending on fsevents. The vulnerability affects JavaScript/Node.js projects using vulnerable fsevents versions.

📋 TL;DR

This CVE describes a supply chain vulnerability in fsevents where versions before 1.2.11 fetched binaries from an external URL that could be compromised. If an adversary controlled that URL, they could distribute malicious binaries leading to arbitrary code execution in projects depending on fsevents. The vulnerability affects JavaScript/Node.js projects using vulnerable fsevents versions.

💻 Affected Systems

Products:

fsevents

Versions: All versions before 1.2.11

Operating Systems: macOS, Linux, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects projects that depend on fsevents and fetch binaries during installation/build. The vulnerability is in the dependency chain, not the end application directly.

📦 What is this software?

Fsevents by Fsevents Project

View all CVEs affecting Fsevents →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution on systems running vulnerable fsevents dependencies, potentially leading to complete system compromise, data theft, or lateral movement.

🟠

Likely Case

Malicious binary injection during package installation or build processes, leading to backdoor installation or credential harvesting.

🟢

If Mitigated

No impact if the URL is verified as secure or if proper integrity checks are in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires compromising the external URL or intercepting the download. Some sources consider this mitigated as the URL is no longer adversary-controlled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.11 and later

Vendor Advisory: https://github.com/fsevents/fsevents

Restart Required: No

Instructions:

1. Update fsevents to version 1.2.11 or later. 2. Run 'npm update fsevents' or update package.json to specify 'fsevents': '^1.2.11'. 3. Rebuild/restart any applications using fsevents.

🔧 Temporary Workarounds

Pin to secure version

all

Manually specify fsevents version 1.2.11 or later in package.json to prevent vulnerable versions from being installed.

npm install fsevents@^1.2.11

🧯 If You Can't Patch

Implement strict outbound network controls to block access to suspicious external URLs during builds.
Use dependency verification tools to ensure package integrity and validate external resource downloads.

🔍 How to Verify

Check if Vulnerable:

Check package-lock.json or node_modules/fsevents/package.json for version less than 1.2.11.

Check Version:

npm list fsevents | grep fsevents

Verify Fix Applied:

Verify fsevents version is 1.2.11 or higher in package.json or via 'npm list fsevents'.

📡 Detection & Monitoring

Log Indicators:

Unexpected network connections to fsevents-binaries.s3-us-west-2.amazonaws.com during package installation

Network Indicators:

HTTP requests to fsevents-binaries.s3-us-west-2.amazonaws.com from build systems

SIEM Query:

source="network_logs" AND dest_host="fsevents-binaries.s3-us-west-2.amazonaws.com"

📊 Metadata

CVE ID: CVE-2023-45311

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: October 6, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/atlassian/moo/blob/56ccbdd41b493332bc2cd7a4097a5802594cdb9c/package-lock.json#L1901-L1902 Exploit,Vendor Advisory
https://github.com/atlassian/react-immutable-proptypes/blob/ddb9fa5194b931bf7528eb4f2c0a8c3434f70edd/package-lock.json#L153 Exploit,Vendor Advisory
https://github.com/cloudflare/authr/blob/3f6129d97d06e61033a7f237d84e35e678db490f/ts/package-lock.json#L1512 Exploit,Vendor Advisory
https://github.com/cloudflare/hugo-cloudflare-docs/blob/e0f7cfa195af8ef1bfa51a487be7d34ba298ed06/package-lock.json#L494 Exploit,Vendor Advisory
https://github.com/cloudflare/redux-grim/blob/b652f99f95fb16812336073951adc5c5a93e2c23/package-lock.json#L266-L267 Exploit,Vendor Advisory
https://github.com/cloudflare/serverless-cloudflare-workers/blob/e95e1e9c9770ed9a3d9480c1fa73e64391268354/package-lock.json#L737 Exploit,Vendor Advisory
https://github.com/fsevents/fsevents/compare/v1.2.10...v1.2.11 Patch,Vendor Advisory
https://security.snyk.io/vuln/SNYK-JS-FSEVENTS-5487987
https://github.com/atlassian/moo/blob/56ccbdd41b493332bc2cd7a4097a5802594cdb9c/package-lock.json#L1901-L1902 Exploit,Vendor Advisory
https://github.com/atlassian/react-immutable-proptypes/blob/ddb9fa5194b931bf7528eb4f2c0a8c3434f70edd/package-lock.json#L153 Exploit,Vendor Advisory
https://github.com/cloudflare/authr/blob/3f6129d97d06e61033a7f237d84e35e678db490f/ts/package-lock.json#L1512 Exploit,Vendor Advisory
https://github.com/cloudflare/hugo-cloudflare-docs/blob/e0f7cfa195af8ef1bfa51a487be7d34ba298ed06/package-lock.json#L494 Exploit,Vendor Advisory
https://github.com/cloudflare/redux-grim/blob/b652f99f95fb16812336073951adc5c5a93e2c23/package-lock.json#L266-L267 Exploit,Vendor Advisory
https://github.com/cloudflare/serverless-cloudflare-workers/blob/e95e1e9c9770ed9a3d9480c1fa73e64391268354/package-lock.json#L737 Exploit,Vendor Advisory
https://github.com/fsevents/fsevents/compare/v1.2.10...v1.2.11 Patch,Vendor Advisory
https://security.snyk.io/vuln/SNYK-JS-FSEVENTS-5487987

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45311, you might also want to check these: