{"vulnerability": "CVE-2023-32004", "sightings": [{"uuid": "30e166eb-b056-4f8d-b15f-0e25eec8db5e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-32004", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-319-08", "content": "", "creation_timestamp": "2024-11-14T12:00:00.000000Z"}, {"uuid": "2a133d70-bab6-497c-8b39-fcbe39878e1f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-32004", "type": "seen", "source": "https://t.me/cibsecurity/72477", "content": "\u203c CVE-2023-39332 \u203c\n\nVarious `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004), but not through non-`Buffer` `Uint8Array` objects.This is distinct from CVE-2023-32004 ([report 2038134](https://hackerone.com/reports/2038134)), which only referred to `Buffer` objects. However, the vulnerability follows the same pattern using `Uint8Array` instead of `Buffer`.Impacts:This vulnerability affects all users using the experimental permission model in Node.js 20.Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-10-18T07:33:24.000000Z"}, {"uuid": "11851af0-a19b-4ddd-bc73-3bad450234b5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-32004", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/15554", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-32004\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions.\n\nThis vulnerability affects all users using the experimental permission model in Node.js 20.\n\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.\n\ud83d\udccf Published: 2023-08-15T15:10:19.152Z\n\ud83d\udccf Modified: 2025-05-08T16:05:43.836Z\n\ud83d\udd17 References:\n1. https://hackerone.com/reports/2038134\n2. https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBOZE2QZIBLFFTYWYN23FGKN6HULZ6HX/\n3. https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQPELKG2LVTADSB7ME73AV4DXQK47PWK/\n4. https://security.netapp.com/advisory/ntap-20230915-0009/", "creation_timestamp": "2025-05-08T16:23:53.000000Z"}]}