CVE-2023-38704 Information

Aug 08, 2023 cve

Description

import-in-the-middle is a module loading interceptor specifically for ESM modules. Prior to version 1.4.2 the import-in-the-middle loader works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the original module and add some wrapping code. It allows for remote code execution in cases where an application passes user-supplied input directly to an import() function. This vulnerability has been patched in import-in-the-middle version 1.4.2. Some workarounds are available. Do not pass any user-supplied input to import(). Instead verify it against a set of allowed values. If using import-in-the-middle and support for EcmaScript Modules is not needed ensure that certain options are set either via command-line or the NODE_OPTIONS environment variable.

Reference

https://github.com/DataDog/import-in-the-middle/commit/2531cdd9d1d73f9eaa87c16967f60cb276c1971b https://github.com/DataDog/import-in-the-middle/security/advisories/GHSA-5r27-rw8r-7967

Share on: