CVE-2023-38704
Remote Code Execution vulnerability in import-in-the-middle (npm)
What is CVE-2023-38704 About?
This vulnerability in `import-in-the-middle` allows for Remote Code Execution (RCE) by generating wrapper modules that process user-supplied input. It can lead to an attacker executing arbitrary code on the affected system. Exploitation requires the application to pass untrusted input directly to an import() function.
Affected Software
Technical Details
The import-in-the-middle loader dynamically generates a wrapper module that loads the original module and adds wrapping code. The vulnerability occurs when an application passes unsanitized, user-supplied input directly to the import() function. If this input is a malicious module specifier, the import-in-the-middle loader, in its process of generating a wrapper and importing the module, might execute attacker-controlled code embedded within or referenced by the malicious specifier. The attack vector relies on the application inadvertently trusting and processing user input as a module path or content.
What is the Impact of CVE-2023-38704?
Successful exploitation may allow attackers to execute arbitrary code on the underlying system, leading to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2023-38704?
Exploitation requires that the target application directly passes unsanitized user-supplied input to an import() function. This typically implies a medium complexity, as the attacker needs to understand the application's input processing. No authentication and no specific privileges are required if the vulnerable import() call is accessible to unauthenticated input. This is generally a remote attack if user input can originate from a network request. The key constraint is the specific application behavior of passing untrusted input to import(). The risk is higher in applications that dynamically load modules based on external input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-38704?
About the Fix from Resolved Security
The patch fixes improper handling of untrusted URLs by wrapping dynamic import specifiers with JSON.stringify, ensuring they're properly quoted and escaped in the generated code. This prevents an attacker from injecting malicious code via crafted URL input, addressing the code injection vulnerability identified as CVE-2023-38704.
Available Upgrade Options
- import-in-the-middle
- <1.4.2 → Upgrade to 1.4.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/DataDog/import-in-the-middle/security/advisories/GHSA-5r27-rw8r-7967
- https://github.com/DataDog/import-in-the-middle/commit/2531cdd9d1d73f9eaa87c16967f60cb276c1971b
- https://nvd.nist.gov/vuln/detail/CVE-2023-38704
- https://github.com/DataDog/import-in-the-middle
- https://osv.dev/vulnerability/GHSA-5r27-rw8r-7967
- https://github.com/DataDog/import-in-the-middle/security/advisories/GHSA-5r27-rw8r-7967
- https://github.com/DataDog/import-in-the-middle/commit/2531cdd9d1d73f9eaa87c16967f60cb276c1971b
What are Similar Vulnerabilities to CVE-2023-38704?
Similar Vulnerabilities: CVE-2023-39659 , CVE-2023-32313 , CVE-2022-26134 , CVE-2021-44228 , CVE-2020-8174
