CVE-2023-45311
Supply Chain Vulnerability vulnerability in fsevents (npm)
What is CVE-2023-45311 About?
This supply chain vulnerability in `fsevents` relies on an external S3 URL for binary downloads before version 1.2.11. An adversary controlling this URL could serve malicious code, leading to arbitrary code execution if a JavaScript project uses an `fsevents` dependency from that compromised source. The ease of exploitation depends on an attacker gaining control of the S3 bucket.
Affected Software
Technical Details
The fsevents package, in versions prior to 1.2.11, has a direct dependency on an external URL: https://fsevents-binaries.s3-us-west-2.amazonaws.com. This setup means that fsevents downloads pre-compiled binaries from this S3 bucket during its installation or build process. The vulnerability arises if an adversary were to gain control over this specific S3 bucket or its contents. If compromised, the adversary could replace the legitimate fsevents binaries with malicious code. Any JavaScript project that depends on fsevents and subsequently installs or builds the package while the S3 bucket is compromised would download and potentially execute this malicious code. This creates a severe supply chain attack vector, as the integrity of the installed package depends entirely on the security of the third-party S3 resource. The malicious code would then be executed in the context of the user or system building or installing the package, leading to arbitrary code execution.
What is the Impact of CVE-2023-45311?
Successful exploitation may allow attackers to execute arbitrary code on the developer's or user's system during package installation, leading to system compromise or developer supply chain attacks.
What is the Exploitability of CVE-2023-45311?
Exploitation requires an attacker to gain control over the fsevents-binaries.s3-us-west-2.amazonaws.com S3 bucket. If this prerequisite is met, the complexity for the attacker is low, as users would unknowingly download and execute the malicious binaries during the normal fsevents installation process (e.g., npm install). This is primarily a remote exploitation scenario, requiring control over the distribution source. No authentication is needed on the victim's side, as the malware is delivered via the standard package installation. No specific privileges are needed beyond those required to install the package, but the malicious code would execute with the user's privileges. The risk is high for projects relying on this vulnerable version if the S3 bucket is ever compromised.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-45311?
About the Fix from Resolved Security
Available Upgrade Options
- fsevents
- <1.2.11 → Upgrade to 1.2.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/fsevents/fsevents/compare/v1.2.10...v1.2.11
- https://github.com/cloudflare/authr/blob/3f6129d97d06e61033a7f237d84e35e678db490f/ts/package-lock.json#L1512
- https://github.com/atlassian/moo/blob/56ccbdd41b493332bc2cd7a4097a5802594cdb9c/package-lock.json#L1901-L1902
- https://github.com/cloudflare/serverless-cloudflare-workers/blob/e95e1e9c9770ed9a3d9480c1fa73e64391268354/package-lock.json#L737
- https://github.com/fsevents/fsevents
- https://nvd.nist.gov/vuln/detail/CVE-2023-45311
- https://github.com/cloudflare/redux-grim/blob/b652f99f95fb16812336073951adc5c5a93e2c23/package-lock.json#L266-L267
- https://github.com/cloudflare/hugo-cloudflare-docs/blob/e0f7cfa195af8ef1bfa51a487be7d34ba298ed06/package-lock.json#L494
- https://security.snyk.io/vuln/SNYK-JS-FSEVENTS-5487987
- https://github.com/fsevents/fsevents/commit/909af26846834642c81d19f4148afa3b7557b058
What are Similar Vulnerabilities to CVE-2023-45311?
Similar Vulnerabilities: CVE-2022-24348 , CVE-2021-29425 , CVE-2020-15168 , CVE-2019-1000008 , CVE-2018-1000130
