4 matches found
Path traversal
fs.mkdtemp and fs.mkdtempSync can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp API and the impact is a malicious actor could create an arbitrary directory. This vulnerability affects all users using the...
CVE-2023-32003
CVE-2023-32003 is described in the connected F5 advisory as a path-traversal flaw in Node.js 20's experimental permission model, where fs.mkdtemp() and fs.mkdtempSync() lack a necessary permission-check, allowing a malicious actor to create an arbitrary directory. The impact is limited to users e...
Internet Bug Bounty: (CVE-2023-32003) fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks
The fs.mkdtemp and fs.mkdtempSync functions in Node.js were found to be missing getValidatedPath checks, allowing for a path traversal attack. This vulnerability could be exploited to create arbitrary directories...
Node.js: fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks.
A vulnerability was found in the fs.mkdtemp and fs.mkdtempSync functions in Node.js 20, which allowed malicious actors to bypass the permission model check and create arbitrary directories...