Various node:fs
functions allow specifying paths as either strings or Uint8Array
objects. In Node.js environments, the Buffer
class extends the Uint8Array
class. Node.js prevents path traversal through strings (see CVE-2023-30584) and Buffer
objects (see CVE-2023-32004), but not through non-Buffer
Uint8Array
objects.
This is distinct from CVE-2023-32004 which only referred to Buffer
objects. However, the vulnerability follows the same pattern using Uint8Array
instead of Buffer
.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
{ "cpes": [ "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*" ], "severity": "Critical" }