CVE-2023-39331

Published: 10/18/2023 Last updated: 4/30/2025 Reserved: 7/28/2023

A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

CNA assigner: hackerone (36234546-b8fa-4601-9d6f-f4e334aa8ea1) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.0	7.7	High	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Opam packages affected (1)

conf-npm

Products affected (1)

Product	Vendor	Version
Node	NodeJS	n/a

References (4)

https://hackerone.com/reports/2092852
https://security.netapp.com/advisory/ntap-20231116-0009/
https://hackerone.com/reports/2092852
https://security.netapp.com/advisory/ntap-20231116-0009/