VDB
CVE-2023-30583
CVE-2023-30583
PUBLISHED
fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
EPSS 0.02% · 6.3th percentile
Risk Scores
EPSS Score
0.02%
6.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | node-min | 20.0.0 |
| Bitnami | node | 20.0.0 |
| Bitnami | node-min | 20.0.0, 20.0.0, 20.0.0 |
| Bitnami | node | 20.0.0, 20.0.0, 20.0.0 |
Exploit Intelligence
- fs.openAsBlob() bypasses permission system (hackerone)
- fs.openAsBlob() bypasses permission system (hackerone)
- fs.openAsBlob() bypasses permission system (hackerone)
Timeline
- CVE Published
- Jul 20, 2023 PoC Published
- Sep 8, 2024 EPSS Score
- Sep 28, 2024 EPSS Score
- Oct 18, 2024 EPSS Score
- Nov 7, 2024 EPSS Score
- Nov 27, 2024 EPSS Score
- Dec 18, 2024 EPSS Score
- Jan 7, 2025 EPSS Score
- Jan 27, 2025 EPSS Score
- Feb 16, 2025 EPSS Score
- Mar 8, 2025 EPSS Score