Homepage
About Snyk

Exposure of Resource to Wrong Sphere The advisory has been revoked - it doesn't affect any version of package fsevents Open this link in a new tab

    Threat Intelligence

    Exploit Maturity Mature
    EPSS 0.44% (75th percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-FSEVENTS-5487987
  • published 27 Apr 2023
  • disclosed 27 Apr 2023
  • credit giraffesecurity.dev
Report a new vulnerability Found a mistake?

Introduced: 27 Apr 2023

CVE-2023-45311 Open this link in a new tab
CWE-668 Open this link in a new tab
First added by Snyk

How to fix?

Upgrade fsevents to version 1.2.11 or higher.

Amendment

This was deemed not a vulnerability.

Overview

Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere by loading a binary from an insecure hardcoded S3 bucket URL, which was demonstrated by an ethical hacker to be susceptible to takeover by malicious actors and used to conduct remote code execution. Loading the remote binary was removed in version 1.2.11 meaning this and later versions were not exposed to this attack vector.

During the disclosure process Snyk confirmed with the security researcher that AWS had agreed to take ownership and block all access to the S3 bucket and as such it has mitigated the straightforward attack vector - this can be further confirmed by attempting to access the bucket which returns a AllAccessDisabled error.