CVE-2023-45311 Overview
CVE-2023-45311 is a supply chain vulnerability affecting the fsevents Node.js package before version 1.2.11. The vulnerability stems from the package's dependency on an external S3 URL (https://fsevents-binaries.s3-us-west-2.amazonaws.com) for downloading pre-built binaries. If an adversary gained control of this URL, they could potentially distribute malicious code to any JavaScript project that depends on vulnerable versions of fsevents.
This vulnerability represents a significant supply chain risk, as fsevents is a widely-used native filesystem events library for macOS, commonly included as a transitive dependency in many popular JavaScript development tools and frameworks.
Critical Impact
Supply chain attack vector that could allow arbitrary code execution on developer machines and build systems through compromised binary distribution.
Affected Products
- fsevents versions prior to 1.2.11
- JavaScript/Node.js projects with transitive dependencies on vulnerable fsevents versions
- Development environments and CI/CD pipelines running affected package builds
Discovery Timeline
- 2023-10-06 - CVE CVE-2023-45311 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-45311
Vulnerability Analysis
The vulnerability exists in the binary distribution mechanism of the fsevents package. Prior to version 1.2.11, the package downloaded pre-compiled native binaries from a hardcoded Amazon S3 URL. This external dependency created a supply chain attack surface where an adversary who gains control of the S3 bucket could serve malicious binaries that would be automatically downloaded and executed during the npm install process.
The fsevents package is a native Node.js addon that provides macOS file system events to Node.js applications. Because it requires native compilation, the package offered pre-built binaries to simplify installation. However, relying on an external, potentially mutable URL for these binaries introduced a critical trust boundary issue.
It's worth noting that the advisory includes a caveat: some sources believe that no version is currently affected because the URL is no longer controlled by an adversary. However, the risk exists for any project that may have downloaded and cached vulnerable binaries during a period when the URL could have been compromised.
Root Cause
The root cause of this vulnerability is CWE-94 (Code Injection), specifically arising from the use of an untrusted external URL for downloading executable binary content. The package architecture assumed that the S3 bucket would always be under legitimate control, failing to implement integrity verification mechanisms such as cryptographic signatures or checksums for the downloaded binaries.
Attack Vector
The attack vector is network-based and requires no user interaction or special privileges. An attacker who compromises the S3 bucket hosting the binaries could:
- Replace legitimate pre-built binaries with malicious versions
- Wait for developers to run npm install on affected projects
- Achieve code execution when the malicious binary is downloaded and loaded
- Potentially exfiltrate sensitive data, inject backdoors, or pivot to other systems
The vulnerability is particularly dangerous in CI/CD environments where packages are frequently installed during build processes. The attack could affect multiple organizations through a single point of compromise.
The fsevents Version Comparison shows the changes made between the vulnerable and patched versions.
Detection Methods for CVE-2023-45311
Indicators of Compromise
- Unexpected network connections to fsevents-binaries.s3-us-west-2.amazonaws.com from Node.js processes
- Unusual process spawning or file system activity following npm install operations
- Modified or unusually sized fsevents native binaries in node_modules directories
- Suspicious entries in npm cache directories related to fsevents binaries
Detection Strategies
- Audit package-lock.json files for fsevents versions prior to 1.2.11 using automated dependency scanning tools
- Implement Software Composition Analysis (SCA) in CI/CD pipelines to identify vulnerable transitive dependencies
- Monitor network traffic for connections to the affected S3 URL during build processes
- Use npm audit or similar tools to identify known vulnerabilities in project dependencies
Monitoring Recommendations
- Enable logging for npm install operations to capture dependency resolution and download activity
- Configure network security monitoring to alert on connections to known vulnerable binary hosting URLs
- Implement file integrity monitoring on node_modules directories in production build environments
- Review build logs for evidence of external binary downloads during package installation
How to Mitigate CVE-2023-45311
Immediate Actions Required
- Upgrade fsevents to version 1.2.11 or later in all affected projects
- Audit package-lock.json and yarn.lock files for vulnerable fsevents versions
- Clear npm cache and reinstall dependencies after upgrading to ensure no cached vulnerable binaries remain
- Review CI/CD pipelines and build systems for projects using affected fsevents versions
Patch Information
The vulnerability was addressed in fsevents version 1.2.11, which removed the dependency on the external S3 URL for binary distribution. Projects should update their dependencies by modifying package.json to require fsevents version >=1.2.11 where direct dependencies exist.
For transitive dependencies, updating parent packages that depend on fsevents may be necessary. Tools like npm ls fsevents can help identify the dependency chain.
For additional technical details, refer to the Snyk Vulnerability SNYK-JS-FSEVENTS-5487987.
Workarounds
- If upgrading is not immediately possible, use npm's overrides (npm 8.3+) or yarn's resolutions to force a safe version of fsevents
- Block network access to fsevents-binaries.s3-us-west-2.amazonaws.com at the firewall level in build environments
- Consider using --ignore-scripts flag during npm install to prevent automatic binary execution (note: this may break functionality)
- Implement strict dependency pinning and integrity verification using npm's package-lock.json with integrity hashes
# Force fsevents upgrade using npm overrides in package.json
npm pkg set overrides.fsevents=">=1.2.11"
# Or audit and update dependencies
npm audit fix
# Clear npm cache to remove any cached vulnerable binaries
npm cache clean --force
# Reinstall dependencies with integrity checking
npm ci
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
