CVE-2023-30588

low-risk

Published 2023-11-28

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario. This vulnerability affects all active Node.js versions v16, v18, and, v20.

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Node.Js

Affected Vendors

Nodejs

References (5)

Vendor Advisory https://nodejs.org/en/blog/vulnerability/june-2023-security-releases

https://security.netapp.com/advisory/ntap-20240621-0006/

Vendor Advisory https://nodejs.org/en/blog/vulnerability/june-2023-security-releases

https://security.netapp.com/advisory/ntap-20240621-0006/

https://security.netapp.com/advisory/ntap-20241101-0011/

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal