nodejs/node v20.3.1

2023-06-20, Version 20.3.1 (Current), @RafaelGSS

on GitHub

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

• CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High)
• CVE-2023-30584: Path Traversal Bypass in Experimental Permission Model (High)
• CVE-2023-30587: Bypass of Experimental Permission Model via Node.js Inspector (High)
• CVE-2023-30582: Inadequate Permission Model Allows Unauthorized File Watching (Medium)
• CVE-2023-30583: Bypass of Experimental Permission Model via fs.openAsBlob() (Medium)
• CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
• CVE-2023-30586: Bypass of Experimental Permission Model via Arbitrary OpenSSL Engines (Medium)
• CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
• CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
• CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
• OpenSSL Security Releases
  • OpenSSL security advisory 28th March.
  • OpenSSL security advisory 20th April.
  • OpenSSL security advisory 30th May

More detailed information on each of the vulnerabilities can be found in June 2023 Security Releases blog post.

Commits

• [dac08dafc9] - crypto: handle cert with invalid SPKI gracefully (Tobias Nießen) nodejs-private/node-private#393
• [d274c3babc] - crypto,https,tls: disable engines if perms enabled (Tobias Nießen) nodejs-private/node-private#409
• [5621c1de38] - deps: update archs files for openssl-3.0.9-quic1 (Node.js GitHub Bot) #48402
• [771caa9f1c] - deps: upgrade openssl sources to quictls/openssl-3.0.9-quic1 (Node.js GitHub Bot) #48402
• [0459bf9c99] - doc,test: clarify behavior of DH generateKeys (Tobias Nießen) nodejs-private/node-private#426
• [27e20501aa] - http: disable request smuggling via empty headers (Paolo Insogna) nodejs-private/node-private#427
• [9c17e335f1] - msi: do not create AppData\Roaming\npm (Tobias Nießen) nodejs-private/node-private#408
• [b51124c637] - permission: handle fs path traversal (RafaelGSS) nodejs-private/node-private#403
• [ebc5927adc] - permission: handle fs.openAsBlob (RafaelGSS) nodejs-private/node-private#405
• [c39a43bff5] - permission: handle fs.watchFile (RafaelGSS) nodejs-private/node-private#404
• [d0a8264ec9] - policy: handle mainModule.__proto__ bypass (RafaelGSS) nodejs-private/node-private#416
• [3df13d5a79] - src,permission: restrict inspector when pm enabled (RafaelGSS) nodejs-private/node-private#410