Homepage
About Snyk

Privilege Escalation Affecting node package, versions [16.0.0,16.20.1) [18.0.0,18.16.1) [20.0.0,20.3.1)

0.0
medium

Snyk CVSS

    Attack Complexity High
    Integrity High

    Threat Intelligence

    EPSS 0.07% (30th percentile)
Expand this section
NVD
7.5 high
Expand this section
Red Hat
7.5 high
Expand this section
SUSE
5.9 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-UPSTREAM-NODE-5756501
  • published 6 Jul 2023
  • disclosed 20 Jun 2023
  • credit @sim0nsecurity
Report a new vulnerability Found a mistake?

Introduced: 20 Jun 2023

CVE-2023-30585 Open this link in a new tab
CWE-264 Open this link in a new tab

How to fix?

Upgrade node to version 16.20.1, 18.16.1, 20.3.1 or higher.

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Privilege Escalation via Malicious Registry Key manipulation during Node.js installer repair process. The issue arises when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the "msiexec.exe" process attempts to create the specified path in an unsafe manner, potentially leading to the creation of arbitrary folders in arbitrary locations.

Note:

This vulnerability is specific to Windows users who install Node.js using the .msi installer. Users who opt for other installation methods are not affected by this particular issue.