{"uuid": "a1d0e08a-8d00-42e2-9f7e-0861da5263a3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-30586", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/15551", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-30586\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. The attack complexity is high. However, the crypto.setEngine() API can be used to bypass the permission model when called with a compatible OpenSSL engine. The OpenSSL engine can, for example, disable the permission model in the host process by manipulating the process's stack memory to locate the permission model Permission::enabled_ in the host process's heap memory. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.\n\ud83d\udccf Published: 2023-06-30T23:40:08.238Z\n\ud83d\udccf Modified: 2025-05-08T16:14:11.957Z\n\ud83d\udd17 References:\n1. https://hackerone.com/reports/1954535\n2. https://security.netapp.com/advisory/ntap-20230803-0008/", "creation_timestamp": "2025-05-08T16:23:50.000000Z"}