Does BDSA-2023-1613 (CVE-2023-3420) impacts Node?

[ambercool99]

Details

In our Node project we currently use 18..16.1 version, our security scans reported vulnerability https://nvd.nist.gov/vuln/detail/CVE-2023-3420
with V8.
the vulnerability details says that it impacts Chrome and Dabian_Linux.
Note sure if this impacts Node runtime.
I could not find anything which related this vulnerability to Node.
Please help...

Node.js version

18.16.1

Example code

No response

Operating system

Alpine (Linux)

Scope

runtime

Module and version

V8

[gireeshpunathil]

@nodejs/v8 - pls advise!

[preveen-stack]

cc @nodejs/security-release

[RafaelGSS]

The CVE details don't say much. https://bugs.chromium.org/p/chromium/issues/detail?id=1452137 isn't public. I will wait for v8 advise.

[mhdawson]

@targos do you know who a good v8 contact might be to follow up with?

[camillobruni]

V8-dev here: which V8 version are you using?

[camillobruni]

This issue applies to node as well.
The disclosed version numbers by the NVD apply as well, up to Chrome 114.0.5735.198 (v8 11.4.183.25).

The issue was related to V8's optimizing JIT compiler (Turbofan) and could be triggered by an attacker able to execute arbitrary JavaScript code.

[mcollina]

@camillobruni that was my assessment, thanks for confirming my initial assessment by looking at the CVE!

This is outside our threat model.

Having said that, I think we should aim to backport a fix anyway.

[mhdawson]

To clarify what @camillobruni and @mcollina said in the above comments. My understanding is that while the issue exists in the Node.js code base, it is not considered a vulnerability in Node.js because protecting againts how it can be used is outside of the Node.js threat model. This is because based on the threat model we trust the code that Node.js has been asked to run.

[preveen-stack]

Ref: https://en.m.wikipedia.org/wiki/Threat_model

[RafaelGSS]

@camillobruni I'm looking at it over the weekend, was it backported to v10.x? Otherwise, I believe we won't be able to add that patch to Node.js 18, unless we are sure it doesn't mix semver-major features (v11.x).

[targos]

I opened nodejs/node#50077 with the fixes that V8 applied to their 11.4 branch.

@RafaelGSS There is no concept of v10.x or v11.x in V8. The project doesn't follow semver.