CVE-2023-39332

Name	CVE-2023-39332
Description	Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004), but not through non-`Buffer` `Uint8Array` objects. This is distinct from CVE-2023-32004 which only referred to `Buffer` objects. However, the vulnerability follows the same pattern using `Uint8Array` instead of `Buffer`. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
nodejs (PTS)	jessie	0.10.29~dfsg-2	fixed
	stretch	4.8.2~dfsg-1	fixed
	buster	10.24.0~dfsg-1~deb10u1	fixed
	buster (security)	10.24.0~dfsg-1~deb10u4	fixed
	bullseye (security), bullseye	12.22.12~dfsg-1~deb11u4	fixed
	bookworm	18.13.0+dfsg1-1	fixed
	bookworm (security)	18.19.0+dfsg-6~deb12u1	fixed
	sid, trixie	18.20.1+dfsg-4	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
nodejs	source	(unstable)	(not affected)

Notes

- nodejs <not-affected> (Only affects 20.x)
https://nodejs.org/en/blog/vulnerability/october-2023-security-releases#path-traversal-through-path-stored-in-uint8array-high---cve-2023-39332