CVE-2023-38704 HIGH

CVE-2023-38704: import-in-the-middle allows unsanitized user controlled input in module generation

Vendor Datadog

Product import-in-the-middle

Weakness CWE-20 · Input validation

Published August 7, 2023

Last update October 3, 2024

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L

What the vulnerability does

01Description

import-in-the-middle is a module loading interceptor specifically for ESM modules. The import-in-the-middle loader works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the original module and add some wrapping code. Prior to version 1.4.2, it allows for remote code execution in cases where an application passes user-supplied input directly to the `import()` function. This vulnerability has been patched in import-in-the-middle version 1.4.2. Some workarounds are available. Do not pass any user-supplied input to `import()`. Instead, verify it against a set of allowed values. If using import-in-the-middle, directly or indirectly, and support for EcmaScript Modules is not needed, ensure that no options are set, either via command-line or the `NODE_OPTIONS` environment variable, that would enable loader hooks.

Key dates

02Disclosure timeline

August 7, 2023 CVE published

October 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-38704

Related vulnerabilities

CVE-2023-38704: import-in-the-middle allows unsanitized user controlled input in module generation

01Description

02Disclosure timeline

03References

04Related CVE