Bug 2244414 (CVE-2023-39332) - CVE-2023-39332 nodejs: path traversal through path stored in Uint8Array
Summary: CVE-2023-39332 nodejs: path traversal through path stored in Uint8Array
Keywords:
Status: NEW
Alias: CVE-2023-39332
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2244460 2244461 2244452 2244453 2244454 2244455 2244456 2244457 2244458 2244459 2244462 2244493 2258564 2258565
Blocks: 2244419
TreeView+ depends on / blocked
 
Reported: 2023-10-16 12:31 UTC by Dhananjay Arunesh
Modified: 2025-11-04 13:50 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7205 0 None None None 2023-11-14 16:55:19 UTC

Description Dhananjay Arunesh 2023-10-16 12:31:39 UTC 
Various node:fs functions allow specifying paths as either strings or Uint8Array objects. In Node.js environments, the Buffer class extends the Uint8Array class. Node.js prevents path traversal through strings (see CVE-2023-30584) and Buffer objects (see CVE-2023-32004), but not through non-Buffer Uint8Array objects.

References:
https://nodejs.org/en/blog/vulnerability/october-2023-security-releases
Comment 1 Dhananjay Arunesh 2023-10-16 14:26:13 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 2244452]
Affects: fedora-37 [bug 2244459]


Created nodejs16 tracking bugs for this issue:

Affects: fedora-38 [bug 2244454]


Created nodejs18 tracking bugs for this issue:

Affects: fedora-38 [bug 2244456]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-38 [bug 2244453]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2244461]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-37 [bug 2244458]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2244460]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-38 [bug 2244455]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-37 [bug 2244457]
Comment 7 errata-xmlrpc 2023-11-14 16:55:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7205 https://access.redhat.com/errata/RHSA-2023:7205
Comment 8 Dhananjay Arunesh 2024-01-16 10:00:21 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 2258564]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-38 [bug 2258565]
Comment 10 Hemoni 2024-06-20 02:11:37 UTC Comment hidden (spam)
Comment 11 eric conley 2025-05-02 04:15:32 UTC Comment hidden (spam)
Comment 12 TomasJuhasz 2025-05-05 09:02:18 UTC 
(In reply to eric conley from comment #11)
> I would like to confirm that CVE-2023-39332 has been addressed in Red Hat
> Enterprise Linux 8 via RHSA-2023:7205. For other affected platforms, such as
> Fedora and EPEL, the associated tracking bugs (e.g., Bug 2244452 for EPEL 7
> and Bug 2244459 for Fedora 37) indicate that patches are being managed
> accordingly.- https://geekydane.com

Hello,
The CVE-2023-39332 was fixed in nodejs version 20.8.1(https://nodejs.org/en/blog/vulnerability/october-2023-security-releases), which was then used by RHSA-2023:7205 as a re-base version.
Connected jira-ticket (https://issues.redhat.com/browse/RHEL-13856)
Comment 13 Madinem 2025-06-02 06:37:44 UTC Comment hidden (spam)
Comment 14 Elizabeth E. Hall 2025-06-02 09:10:07 UTC Comment hidden (spam)
Comment 15 andrewthecarter2025 2025-11-04 13:49:20 UTC 
(In reply to Dhananjay Arunesh from comment #0)
> Various node:fs functions allow specifying paths as either strings or
> Uint8Array objects. In Node.js environments, the Buffer class extends the
> Uint8Array class. Node.js prevents path traversal through strings (see
> CVE-2023-30584) and Buffer objects (see CVE-2023-32004), but not through
> non-Buffer Uint8Array objects.
> 
> References:
> https://nodejs.org/en/blog/vulnerability/october-2023-security-releases
> texttoolz.com

This bug (CVE-2023-39332) describes a high severity path traversal vulnerability in Node.js: path traversal is possible through non-Buffer Uint8Array objects passed to node:fs functions. While Node.js blocks traversal via strings and Buffer objects, it failed for non-Buffer Uint8Array, leading to potential security risks. The issue was fixed in Node.js v20.8.1 and addressed by Red Hat in RHSA-2023:7205.
Comment 16 andrewthecarter2025 2025-11-04 13:50:02 UTC 
(In reply to andrewthecarter2025 from comment #15)
> (In reply to Dhananjay Arunesh from comment #0)
> > Various node:fs functions allow specifying paths as either strings or
> > Uint8Array objects. In Node.js environments, the Buffer class extends the
> > Uint8Array class. Node.js prevents path traversal through strings (see
> > CVE-2023-30584) and Buffer objects (see CVE-2023-32004), but not through
> > non-Buffer Uint8Array objects.
> > 
> > References:
> > https://nodejs.org/en/blog/vulnerability/october-2023-security-releases
> > https://texttoolz.com
> 
> This bug (CVE-2023-39332) describes a high severity path traversal
> vulnerability in Node.js: path traversal is possible through non-Buffer
> Uint8Array objects passed to node:fs functions. While Node.js blocks
> traversal via strings and Buffer objects, it failed for non-Buffer
> Uint8Array, leading to potential security risks. The issue was fixed in
> Node.js v20.8.1 and addressed by Red Hat in RHSA-2023:7205.
Note You need to log in before you can comment on or make changes to this bug.