CVE-2023-39332 - Path Traversal Vulnerability in Non-`Buffer` `Uint8Array` Objects in Node.js `node:fs` Functions

CVE-2023-39332 identifies a path traversal vulnerability in various Node.js node:fs functions that do not handle non-Buffer Uint8Array objects securely. Node.js enables users to specify paths as either strings or Uint8Array objects. Although Node.js has resolved path traversal issues involving strings (see CVE-2023-30584) and Buffer objects (see CVE-2023-32004), non-Buffer Uint8Array objects remain vulnerable.

This vulnerability is distinct from CVE-2023-32004, which focused on Buffer objects. However, both vulnerabilities share similar characteristics, with this CVE addressing path traversal via Uint8Array objects instead.

It is crucial to note that the permission model, wherein this vulnerability exists, remains an experimental feature in Node.js.

Code Snippet

The following code snippet demonstrates the path traversal vulnerability using non-Buffer Uint8Array objects:

const fs = require('node:fs');
const path = require('node:path');

const userProvidedPath = '../secret.txt';
const sanitizedPath = path.resolve(userProvidedPath);

const nonBufferUint8Array = new Uint8Array(Buffer.from(sanitizedPath));

fs.readFile(nonBufferUint8Array, (err, data) => {
  if (err) {
    console.error(err);
  } else {
    console.log(data.toString());
  }
});

In this example, a user provides a relative path attempting to access a restricted file. The path.resolve() function should prevent path traversal; however, it does not effectively sanitize the Uint8Array object, allowing attackers to bypass the protection mechanisms and access sensitive information.

Exploit Details

Attackers can exploit this vulnerability by crafting a non-Buffer Uint8Array object with the desired path traversal. When using this malicious object with a vulnerable node:fs function, the exploit allows the attacker to read, write, or execute files outside the intended directory, effectively gaining unauthorized access to the application's file system.

At this moment, no active exploits or proof-of-concept codes have surfaced, but developers are advised to take defensive measures to protect their applications and users against potential threats.

Original References

1. CVE-2023-39332 - Node.js Path Traversal Vulnerability in Non-Buffer Uint8Array Objects
2. CVE-2023-32004 - Node.js Path Traversal Vulnerability in Buffer Objects
3. CVE-2023-30584 - Node.js Path Traversal Vulnerability in Strings
4. Node.js Permission Model (Experimental)

Mitigation

To protect against this vulnerability, the best practice is to apply input validation when handling paths provided by users. Developers are also encouraged to monitor updates from the Node.js security advisories for any new information or patches related to this vulnerability. Moreover, when the permission model graduates from experimental status, it is crucial to revisit any security controls that might require adjustments to accommodate the fixed feature.

Timeline

Published on: 10/18/2023 04:15:11 UTC
Last modified on: 11/03/2023 22:15:10 UTC