CVE-2023-30585 is a vulnerability affecting the Node.js installation process on Windows systems when using the .msi installer. The issue occurs specifically during the repair operation of the Node.js installation, where the Windows Installer service (msiexec.exe) runs under the highly privileged NT AUTHORITY\SYSTEM context. During this process, msiexec.exe attempts to read the %USERPROFILE% environment variable from the current user's registry hive. The vulnerability arises if the path referenced by %USERPROFILE% does not exist. In such cases, msiexec.exe attempts to create the missing directory path. However, this creation is performed in an unsafe manner, potentially allowing the creation of arbitrary folders in arbitrary locations on the filesystem. The root cause is that the %USERPROFILE% environment variable in the Windows registry can be modified by standard, non-privileged users. This means that an unprivileged user or a malicious process (such as malware or a trojan) can manipulate the registry key to point %USERPROFILE% to a location of their choosing. When the privileged msiexec.exe process runs the repair operation, it will then create folders at these attacker-controlled locations with SYSTEM privileges. This behavior can lead to privilege escalation or persistence mechanisms by allowing attackers to place files or folders in sensitive locations with elevated permissions. This vulnerability is limited to Windows users who install Node.js via the .msi installer; other installation methods (such as zip packages, nvm, or other installers) are not affected. The affected Node.js versions span from 4.0 through 20.0, covering a broad range of currently supported and legacy versions. As of the publication date, there are no known exploits in the wild. No official patches or mitigations have been linked yet, and the vulnerability was reserved and published in 2023. The vulnerability does not have a CVSS score assigned at this time.

For European organizations, this vulnerability poses a risk primarily in environments where Node.js is installed on Windows systems using the .msi installer. Since msiexec.exe runs with SYSTEM privileges, exploitation could allow an unprivileged user or malware to create folders with elevated privileges in arbitrary locations. This can facilitate privilege escalation, unauthorized persistence, or the planting of malicious payloads that could be executed later by privileged processes or users. The impact on confidentiality is moderate, as the vulnerability itself does not directly expose data but could be leveraged to escalate privileges and access sensitive information. Integrity is at risk because attackers could place or modify files in sensitive locations, potentially altering system or application behavior. Availability impact is lower but possible if attackers use this vector to disrupt system components or install ransomware. Given the widespread use of Node.js in web development, backend services, and automation across European enterprises, especially in sectors like finance, telecommunications, and government, exploitation could lead to significant operational disruptions and security breaches. However, the attack requires local access or prior compromise to manipulate the registry, limiting remote exploitation. The absence of known exploits reduces immediate risk but does not eliminate it, especially in targeted attacks.

1. Avoid using the .msi installer for Node.js on Windows systems; instead, use alternative installation methods such as the official zip archives, nvm for Windows, or package managers that do not rely on msiexec repair operations. 2. Restrict write permissions to the registry keys controlling the %USERPROFILE% environment variable to prevent modification by non-privileged users. Implement Group Policy or registry ACLs to harden these keys. 3. Monitor and audit changes to the %USERPROFILE% environment variable and related registry keys to detect unauthorized modifications. 4. Apply the principle of least privilege to user accounts to reduce the likelihood of unprivileged users manipulating environment variables or registry settings. 5. Employ endpoint detection and response (EDR) solutions to detect suspicious msiexec.exe behavior, especially unexpected folder creation in unusual locations. 6. Segregate systems running Node.js installations and limit local user access to reduce the attack surface. 7. Stay updated with Node.js vendor advisories for patches or updated installers addressing this vulnerability and apply them promptly once available. 8. For critical systems, consider implementing application whitelisting to prevent unauthorized execution of modified or malicious files placed via this vulnerability.