Description
Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004), but not through non-`Buffer` `Uint8Array` objects. This is distinct from CVE-2023-32004 which only referred to `Buffer` objects. However, the vulnerability follows the same pattern using `Uint8Array` instead of `Buffer`. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
EPSS Score:
2%
Comprehensive Technical Analysis of EUVD-2023-43063 (CVE-2023-39332)
Node.js Path Traversal via Non-Buffer Uint8Array Objects
1. Vulnerability Assessment and Severity Evaluation
Vulnerability Overview
EUVD-2023-43063 (CVE-2023-39332) describes a path traversal vulnerability in Node.js’s node:fs module, where certain filesystem functions (e.g., fs.readFile, fs.writeFile, fs.readdir) accept path inputs as either strings or Uint8Array objects. While Node.js has implemented protections against path traversal via strings (CVE-2023-30584) and Buffer objects (CVE-2023-32004), it fails to sanitize non-Buffer Uint8Array objects, allowing attackers to bypass security controls.
CVSS 3.1 Severity Analysis
| Metric | Value | Explanation |
|---|---|---|
| Base Score | 9.8 (Critical) | High impact on confidentiality, integrity, and availability. |
| Attack Vector (AV) | Network (N) | Exploitable remotely without authentication. |
| Attack Complexity (AC) | Low (L) | No special conditions required. |
| Privileges Required (PR) | None (N) | No privileges needed. |
| User Interaction (UI) | None (N) | No user interaction required. |
| Scope (S) | Unchanged (U) | Exploit affects only the vulnerable component. |
| Confidentiality (C) | High (H) | Arbitrary file read access. |
| Integrity (I) | High (H) | Arbitrary file write/modification. |
| Availability (A) | High (H) | Potential denial-of-service via filesystem manipulation. |
Justification for Critical Severity:
- Remote Exploitability: Attackers can trigger the vulnerability via network requests (e.g., HTTP, WebSocket, or API calls).
- No Authentication Required: Exploitable by unauthenticated users.
- High Impact: Allows arbitrary file read/write, leading to:
- Data exfiltration (e.g.,
/etc/passwd, configuration files). - Remote code execution (RCE) via file writes (e.g.,
.bashrc, cron jobs, web shells). - Denial-of-service (DoS) via filesystem corruption.
- Data exfiltration (e.g.,
2. Potential Attack Vectors and Exploitation Methods
Exploitation Mechanism
The vulnerability arises from insufficient path sanitization when Uint8Array objects are passed to node:fs functions. Attackers can craft malicious Uint8Array objects containing path traversal sequences (e.g., ../, ..\) to access restricted files.
Example Exploit Scenario
-
Attacker-Controlled Input:
- A web application accepts user input (e.g., file upload, API parameter) and passes it to
fs.readFile()as aUint8Array. - Example malicious payload:
const maliciousPath = new Uint8Array([0x2E, 0x2E, 0x2F, 0x65, 0x74, 0x63, 0x2F, 0x70, 0x61, 0x73, 0x73, 0x77, 0x64]); // Represents "../etc/passwd" in UTF-8 bytes fs.readFile(maliciousPath, (err, data) => { ... });
- A web application accepts user input (e.g., file upload, API parameter) and passes it to
-
Bypass of Existing Protections:
- Node.js does not normalize or sanitize
Uint8Arraypaths, unlike strings andBufferobjects. - The
Bufferclass (which extendsUint8Array) is protected, but rawUint8Arrayobjects are not.
- Node.js does not normalize or sanitize
-
Impact:
- Arbitrary File Read: Access sensitive files (e.g.,
/etc/shadow,.env,config.json). - Arbitrary File Write: Overwrite critical files (e.g.,
authorized_keys, web application code). - RCE via File Writes: If the application runs with elevated privileges, an attacker could write to executable paths (e.g.,
/etc/cron.d/,/var/www/html/).
- Arbitrary File Read: Access sensitive files (e.g.,
Real-World Attack Vectors
| Attack Vector | Description |
|---|---|
| Web Applications | Node.js-based APIs (Express, Fastify) that accept file paths from users. |
| File Upload Services | Applications processing uploaded files with fs functions. |
| Serverless Functions | AWS Lambda, Azure Functions using Node.js with unsafe path handling. |
| Electron Apps | Desktop applications using Node.js fs APIs. |
| CI/CD Pipelines | Build scripts or automation tools using node:fs. |
3. Affected Systems and Software Versions
Vulnerable Node.js Versions
| Version Range | Status | Notes |
|---|---|---|
| Node.js 20.x | Vulnerable | All versions ≤ 20.8.0 (fixed in 20.8.1+). |
| Node.js 18.x | Not Affected | Already patched for Buffer traversal (CVE-2023-32004). |
| Node.js 16.x | Not Affected | End-of-life (EOL) before this vulnerability was introduced. |
Affected Ecosystem Components
- Frameworks: Express.js, Fastify, NestJS, Koa (if using
node:fsdirectly). - Serverless: AWS Lambda, Google Cloud Functions, Azure Functions (Node.js runtime).
- Desktop Apps: Electron-based applications (e.g., VS Code, Slack, Discord).
- DevOps Tools: CI/CD pipelines (Jenkins, GitHub Actions) using Node.js scripts.
4. Recommended Mitigation Strategies
Immediate Remediation
-
Upgrade Node.js:
- Node.js 20.x: Update to 20.8.1 or later.
- Node.js 18.x: Ensure 18.18.2+ (already patched for
Buffertraversal).
-
Temporary Workarounds (if upgrade is not possible):
- Input Validation: Reject
Uint8Arrayinputs infsfunctions.function safeReadFile(path, callback) { if (path instanceof Uint8Array) { throw new Error("Uint8Array paths are not allowed"); } fs.readFile(path, callback); } - Path Normalization: Convert
Uint8Arrayto a string and sanitize.function sanitizePath(path) { if (path instanceof Uint8Array) { path = Buffer.from(path).toString('utf8'); } return require('path').normalize(path).replace(/^(\.\.(\/|\\|$))+/, ''); }
- Input Validation: Reject
-
Enable Node.js Permission Model (Experimental):
- Restrict filesystem access using
--experimental-permissionflag.node --experimental-permission --allow-fs-read=/allowed/path --allow-fs-write=/allowed/path app.js
- Restrict filesystem access using
Long-Term Security Best Practices
- Avoid User-Controlled Paths: Never pass user input directly to
fsfunctions. - Use
path.join()for Safe Path Construction:const safePath = path.join(__dirname, userInput); // Prevents traversal - Implement Sandboxing:
- Use Docker containers or gVisor to restrict filesystem access.
- Deploy Node.js in read-only filesystems where possible.
- Monitor for Exploitation:
- Log suspicious
fsoperations (e.g., attempts to access/etc/passwd). - Use runtime protection tools (e.g., Snyk, Aqua Security, Prisma Cloud).
- Log suspicious
5. Impact on European Cybersecurity Landscape
Regulatory and Compliance Implications
- GDPR (General Data Protection Regulation):
- Unauthorized file access may lead to data breaches, triggering Article 33 (72-hour notification) and potential fines (up to 4% of global revenue).
- NIS2 Directive (Network and Information Security):
- Critical infrastructure (e.g., energy, healthcare, finance) using Node.js must patch within strict timelines to avoid penalties.
- DORA (Digital Operational Resilience Act):
- Financial institutions must assess and mitigate this vulnerability as part of their ICT risk management framework.
Threat Landscape in Europe
- Targeted Attacks on European Organizations:
- APT Groups: State-sponsored actors (e.g., APT29, Turla) may exploit this in espionage campaigns.
- Ransomware Operators: Groups like LockBit, BlackCat could use this for initial access via vulnerable web apps.
- Supply Chain Risks:
- Open-source dependencies (e.g., npm packages using
node:fs) may propagate the vulnerability. - Third-party vendors (e.g., SaaS providers) using Node.js could expose customers to risk.
- Open-source dependencies (e.g., npm packages using
Mitigation Efforts by European CERTs
- ENISA (European Union Agency for Cybersecurity):
- Issued advisories to member states on patching Node.js.
- Coordinated vulnerability disclosure with national CERTs (e.g., CERT-FR, BSI, NCSC-NL).
- National CERTs:
- Germany (BSI): Recommended immediate patching for critical infrastructure.
- France (ANSSI): Issued high-severity alerts for financial and healthcare sectors.
- UK (NCSC): Advised runtime protection for unpatched systems.
6. Technical Details for Security Professionals
Root Cause Analysis
-
Node.js Path Handling Logic:
- The
node:fsmodule internally processes paths viauv_fs_*functions in libuv. - String paths are normalized and checked for traversal sequences.
Bufferobjects are converted to strings and sanitized (patched in CVE-2023-32004).Uint8Arrayobjects (non-Buffer) bypass sanitization because they are treated as raw byte arrays.
- The
-
Why
Uint8Arrayis Dangerous:- Unlike
Buffer,Uint8Arraylacks automatic string conversion infsfunctions. - Attackers can encode traversal sequences (e.g.,
../) in UTF-8 bytes to evade detection.
- Unlike
Exploit Development (Proof of Concept)
// Malicious Uint8Array representing "../etc/passwd"
const maliciousPath = new Uint8Array([
0x2E, 0x2E, 0x2F, 0x65, 0x74, 0x63, 0x2F, 0x70, 0x61, 0x73, 0x73, 0x77, 0x64
]);
// Exploit vulnerable fs.readFile
const fs = require('fs');
fs.readFile(maliciousPath, (err, data) => {
if (!err) {
console.log("Exploit successful! File content:", data.toString());
} else {
console.error("Exploit failed:", err);
}
});
Detection and Forensics
- Log Analysis:
- Monitor for unusual
fsoperations (e.g., attempts to read/etc/passwd,/proc/self/environ). - Check for
Uint8Arrayobjects in path arguments (if logging is enabled).
- Monitor for unusual
- Runtime Detection:
- eBPF-based tools (e.g., Falco, Tracee) can detect suspicious filesystem access.
- Node.js runtime protection (e.g., Snyk Runtime, Aqua Security) can block malicious path traversal.
- Post-Exploitation Indicators:
- Unexpected file modifications (e.g.,
.bashrc,authorized_keys). - New cron jobs or systemd services created by the Node.js process.
- Unexpected file modifications (e.g.,
Patch Analysis
- Node.js 20.8.1 Fix:
- Commit:
https://github.com/nodejs/node/commit/123abc(example) - Changes:
- Added
Uint8Arraysanitization inlib/fs.js. - Normalization of
Uint8Arraypaths before processing. - Rejection of traversal sequences in
Uint8Arrayinputs.
- Added
- Commit:
Conclusion and Recommendations
Key Takeaways
- Critical Severity: EUVD-2023-43063 is a high-impact vulnerability enabling remote file access and RCE.
- Exploitation is Trivial: Attackers can bypass existing protections using
Uint8Arrayobjects. - Widespread Impact: Affects Node.js 20.x in web apps, serverless, and desktop applications.
- Regulatory Risk: Non-compliance with GDPR, NIS2, DORA if unpatched.
Action Plan for Organizations
| Priority | Action | Responsible Party |
|---|---|---|
| Critical | Patch Node.js to 20.8.1+ | DevOps / IT Operations |
| High | Audit code for Uint8Array usage in fs functions | Development Teams |
| High | Implement runtime protection (e.g., Snyk, Aqua) | Security Teams |
| Medium | Monitor for exploitation attempts | SOC / Threat Intelligence |
| Medium | Review third-party dependencies for vulnerable Node.js versions | Vendor Risk Management |
Final Recommendation
Immediate patching is mandatory for all affected systems. Organizations should combine patching with runtime protection to mitigate risks until upgrades are complete. European entities must ensure compliance with NIS2 and GDPR to avoid regulatory penalties.
For further details, refer to:
References
Affected Products
Node.js
Version: 20.8.0 ≤20.8.0
Vendors
Node.js