CVE-2023-45311

Published: Oct 6, 2023Modified: Jun 17, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary. NOTE: some sources feel that this means that no version is affected any longer, because the URL is not controlled by an adversary.

Affected (1)

Products: Fsevents Project: Fsevents

Fsevents Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Fsevents Project Fsevents	Before 1.2.11

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (16)

https://github.com/atlassian/moo/blob/56ccbdd41b493332bc2cd7a4097a5802594cdb9c/package-lock.json#L1901-L1902

Source: cve@mitre.org

ExploitVendor Advisory

https://github.com/atlassian/react-immutable-proptypes/blob/ddb9fa5194b931bf7528eb4f2c0a8c3434f70edd/package-lock.json#L153

Source: cve@mitre.org

ExploitVendor Advisory

https://github.com/cloudflare/authr/blob/3f6129d97d06e61033a7f237d84e35e678db490f/ts/package-lock.json#L1512

Source: cve@mitre.org

ExploitVendor Advisory

https://github.com/cloudflare/hugo-cloudflare-docs/blob/e0f7cfa195af8ef1bfa51a487be7d34ba298ed06/package-lock.json#L494

Source: cve@mitre.org

ExploitVendor Advisory

https://github.com/cloudflare/redux-grim/blob/b652f99f95fb16812336073951adc5c5a93e2c23/package-lock.json#L266-L267

Source: cve@mitre.org

ExploitVendor Advisory

https://github.com/cloudflare/serverless-cloudflare-workers/blob/e95e1e9c9770ed9a3d9480c1fa73e64391268354/package-lock.json#L737

Source: cve@mitre.org

ExploitVendor Advisory

https://github.com/fsevents/fsevents/compare/v1.2.10...v1.2.11

Source: cve@mitre.org

PatchVendor Advisory

https://security.snyk.io/vuln/SNYK-JS-FSEVENTS-5487987

Source: cve@mitre.org

https://github.com/atlassian/moo/blob/56ccbdd41b493332bc2cd7a4097a5802594cdb9c/package-lock.json#L1901-L1902

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

https://github.com/atlassian/react-immutable-proptypes/blob/ddb9fa5194b931bf7528eb4f2c0a8c3434f70edd/package-lock.json#L153

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

https://github.com/cloudflare/authr/blob/3f6129d97d06e61033a7f237d84e35e678db490f/ts/package-lock.json#L1512

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

https://github.com/cloudflare/hugo-cloudflare-docs/blob/e0f7cfa195af8ef1bfa51a487be7d34ba298ed06/package-lock.json#L494

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

https://github.com/cloudflare/redux-grim/blob/b652f99f95fb16812336073951adc5c5a93e2c23/package-lock.json#L266-L267

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

https://github.com/cloudflare/serverless-cloudflare-workers/blob/e95e1e9c9770ed9a3d9480c1fa73e64391268354/package-lock.json#L737

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

https://github.com/fsevents/fsevents/compare/v1.2.10...v1.2.11

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://security.snyk.io/vuln/SNYK-JS-FSEVENTS-5487987

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.