CVE-2023-30585 is a security vulnerability identified in the Node.js MSI installer for Windows platforms, impacting all Node.js versions from 4.0 through 20.0. The vulnerability manifests during the repair operation of the Node.js installation, where the Windows Installer service (msiexec.exe) runs under the NT AUTHORITY\SYSTEM context and attempts to read the %USERPROFILE% environment variable from the current user's registry hive. The problem arises when the path pointed to by %USERPROFILE% does not exist on the filesystem. In this scenario, msiexec.exe attempts to create the missing directory path but does so in an unsafe manner that does not properly validate or restrict the location of the created folders. Because the %USERPROFILE% environment variable registry key can be modified by standard, non-privileged users, an attacker with local access can manipulate this key to point to arbitrary locations. When the repair operation is triggered, msiexec.exe will create folders in these attacker-controlled paths with SYSTEM privileges. This behavior can be exploited to create directories or files in protected areas, potentially enabling privilege escalation, persistence mechanisms, or other malicious activities that require elevated privileges. The vulnerability is specific to the MSI installer method on Windows; users installing Node.js through other means (e.g., ZIP archives, package managers) are not affected. As of the publication date, no known exploits have been reported in the wild, and no CVSS score has been assigned. The vulnerability requires local user access and some user interaction (triggering a repair), limiting remote exploitation but still posing a significant risk in environments where local user accounts may be compromised or untrusted.

For European organizations, this vulnerability primarily threatens Windows systems where Node.js is installed using the MSI installer. The ability for a non-privileged user to manipulate the %USERPROFILE% environment variable and cause the SYSTEM-level msiexec.exe process to create arbitrary folders can lead to privilege escalation or persistence on critical servers or developer workstations. This risk is heightened in environments with shared or multi-user Windows systems, such as development teams, CI/CD servers, or build environments common in European tech companies. Exploitation could allow attackers to implant malicious payloads or backdoors with SYSTEM privileges, undermining confidentiality, integrity, and availability of affected systems. While remote exploitation is not feasible, insider threats or malware with local access could leverage this vulnerability. Given the widespread use of Node.js in European enterprises and public sector organizations, especially in software development and cloud infrastructure, the vulnerability could impact a broad range of targets. The lack of a patch at the time of disclosure increases exposure, and organizations with strict security policies relying on MSI installations should prioritize mitigation to avoid lateral movement or privilege escalation attacks.

European organizations should immediately audit their Windows systems to identify Node.js installations performed via the MSI installer. Where possible, switch to alternative installation methods such as ZIP archives or package managers that are not affected by this vulnerability. Until a patch is released, restrict local user permissions to prevent modification of the %USERPROFILE% environment variable in the registry. Implement monitoring to detect unusual folder creation activities initiated by msiexec.exe or other SYSTEM processes. Employ application whitelisting and endpoint detection and response (EDR) tools to identify suspicious repair operations or privilege escalation attempts. Educate users and administrators about the risk of running repair operations without verifying environment variables. In environments with shared workstations or developer machines, enforce strict user account controls and consider isolating build environments to reduce the risk of local exploitation. Finally, stay updated with Node.js vendor advisories and apply official patches promptly once available.