#VU82070 Code Injection in Node.js


Published: 2023-10-17 | Updated: 2023-10-18

Vulnerability identifier: #VU82070

Vulnerability risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-39333

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Node.js
Server applications / Web servers

Vendor: Node.js Foundation

Description

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation in an imported WebAssembly module when processing export names. A remote attacker can pass specially crafted export names to the application and execute arbitrary JavaScript code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Node.js: 18.1.0 - 18.18.1, 18.4.0, 18.3.0, 18.2.0, 18.0.0

External links
http://nodejs.org/en/blog/vulnerability/october-2023-security-releases

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Planning Analytics Local - IBM Planning Analytics Workspace
Multiple vulnerabilities in IBM Answer Retrieval for Watson Discovery
Multiple vulnerabilities in IBM Business Automation Workflow Configuration Editor
Multiple vulnerabilities in IBM Cloud Pak for Business Automation
App Connect Enterprise Certified Container update for Node.js
Multiple vulnerabilities in IBM Spectrum Control
Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps
Multiple vulnerabilities in IBM Cloud Transformation Advisor
Red Hat Enterprise Linux 8 update for the nodejs:20 module
Multiple vulnerabilities in IBM Voice Gateway