CVE-2023-38704

import-in-the-middle is a module loading interceptor specifically for ESM modules. The import-in-the-middle loader works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the original module and add some wrapping code. Prior to version 1.4.2, it allows for remote code execution in cases where an application passes user-supplied input directly to the `import()` function. This vulnerability has been patched in import-in-the-middle version 1.4.2. Some workarounds are available. Do not pass any user-supplied input to `import()`. Instead, verify it against a set of allowed values. If using import-in-the-middle, directly or indirectly, and support for EcmaScript Modules is not needed, ensure that no options are set, either via command-line or the `NODE_OPTIONS` environment variable, that would enable loader hooks.
Configurations

Configuration 1 (hide)

cpe:2.3:a:datadoghq:import-in-the-middle:*:*:*:*:*:node.js:*:*

History

21 Nov 2024, 08:14

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 9.8
v2 : unknown
v3 : 8.1
References () https://github.com/DataDog/import-in-the-middle/commit/2531cdd9d1d73f9eaa87c16967f60cb276c1971b - Patch () https://github.com/DataDog/import-in-the-middle/commit/2531cdd9d1d73f9eaa87c16967f60cb276c1971b - Patch
References () https://github.com/DataDog/import-in-the-middle/security/advisories/GHSA-5r27-rw8r-7967 - Mitigation, Third Party Advisory () https://github.com/DataDog/import-in-the-middle/security/advisories/GHSA-5r27-rw8r-7967 - Mitigation, Third Party Advisory

11 Aug 2023, 17:56

Type Values Removed Values Added
First Time Datadoghq
Datadoghq import-in-the-middle
CWE CWE-20 NVD-CWE-noinfo
References (MISC) https://github.com/DataDog/import-in-the-middle/security/advisories/GHSA-5r27-rw8r-7967 - (MISC) https://github.com/DataDog/import-in-the-middle/security/advisories/GHSA-5r27-rw8r-7967 - Mitigation, Third Party Advisory
References (MISC) https://github.com/DataDog/import-in-the-middle/commit/2531cdd9d1d73f9eaa87c16967f60cb276c1971b - (MISC) https://github.com/DataDog/import-in-the-middle/commit/2531cdd9d1d73f9eaa87c16967f60cb276c1971b - Patch
CPE cpe:2.3:a:datadoghq:import-in-the-middle:*:*:*:*:*:node.js:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8

08 Aug 2023, 18:15

Type Values Removed Values Added
Summary `import-in-the-middle` is a module loading interceptor specifically for ESM modules. Prior to version 1.4.2, the `import-in-the-middle` loader works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the original module and add some wrapping code. It allows for remote code execution in cases where an application passes user-supplied input directly to an `import()` function. This vulnerability has been patched in `import-in-the-middle` version 1.4.2. Some workarounds are available. Do not pass any user-supplied input to `import()`. Instead, verify it against a set of allowed values. If using `import-in-the-middle` and support for EcmaScript Modules is not needed, ensure that certain options are set, either via command-line or the `NODE_OPTIONS` environment variable. import-in-the-middle is a module loading interceptor specifically for ESM modules. The import-in-the-middle loader works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the original module and add some wrapping code. Prior to version 1.4.2, it allows for remote code execution in cases where an application passes user-supplied input directly to the `import()` function. This vulnerability has been patched in import-in-the-middle version 1.4.2. Some workarounds are available. Do not pass any user-supplied input to `import()`. Instead, verify it against a set of allowed values. If using import-in-the-middle, directly or indirectly, and support for EcmaScript Modules is not needed, ensure that no options are set, either via command-line or the `NODE_OPTIONS` environment variable, that would enable loader hooks.

07 Aug 2023, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-08-07 20:15

Updated : 2024-11-21 08:14


NVD link : CVE-2023-38704

Mitre link : CVE-2023-38704

CVE.ORG link : CVE-2023-38704


JSON object : View

Products Affected

datadoghq

  • import-in-the-middle
CWE
CWE-20

Improper Input Validation

NVD-CWE-noinfo