CVE-2023-39331 Information

Description

A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations.

Please note that at the time this CVE was issued the permission model is an experimental feature of Node.js.

Reference

https://hackerone.com/reports/2092852