Wind River Support Network

HomeDefectsLIN1022-5646
Fixed

LIN1022-5646 : Security Advisory - nodejs - CVE-2023-39332

Created: Oct 15, 2023    Updated: Jan 26, 2026
Resolved Date: Oct 13, 2025
Found In Version: 10.22.33.1
Fix Version: 10.22.33.13
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Userspace

Description

Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004), but not through non-`Buffer` `Uint8Array` objects.

This is distinct from CVE-2023-32004 ([report 2038134](https://hackerone.com/reports/2038134)), which only referred to `Buffer` objects. However, the vulnerability follows the same pattern using `Uint8Array` instead of `Buffer`.

Impacts:

This vulnerability affects all users using the experimental permission model in Node.js 20.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

https://nvd.nist.gov/vuln/detail/CVE-2023-39332
  • Linkedin
  • Facebook
  • Twitter
  • Youtube