CVE-2023-45311

Public Exploit

Description

fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary. NOTE: some sources feel that this means that no version is affected any longer, because the URL is not controlled by an adversary.

Category

9.8
CVSS
Severity: Critical
CVSS 3.1 •
EPSS 0.43%
Vendor Advisory github.com Vendor Advisory github.com Vendor Advisory github.com Vendor Advisory github.com Vendor Advisory github.com Vendor Advisory github.com Vendor Advisory github.com
Affected: n/a n/a
Published at:
Updated at:

References

Link Tags
https://github.com/fsevents/fsevents/compare/v1.2.10...v1.2.11 patch vendor advisory
https://github.com/atlassian/react-immutable-proptypes/blob/ddb9fa5194b931bf7528eb4f2c0a8c3434f70edd/package-lock.json#L153 vendor advisory exploit
https://github.com/atlassian/moo/blob/56ccbdd41b493332bc2cd7a4097a5802594cdb9c/package-lock.json#L1901-L1902 vendor advisory exploit
https://github.com/cloudflare/authr/blob/3f6129d97d06e61033a7f237d84e35e678db490f/ts/package-lock.json#L1512 vendor advisory exploit
https://github.com/cloudflare/hugo-cloudflare-docs/blob/e0f7cfa195af8ef1bfa51a487be7d34ba298ed06/package-lock.json#L494 vendor advisory exploit
https://github.com/cloudflare/redux-grim/blob/b652f99f95fb16812336073951adc5c5a93e2c23/package-lock.json#L266-L267 vendor advisory exploit
https://github.com/cloudflare/serverless-cloudflare-workers/blob/e95e1e9c9770ed9a3d9480c1fa73e64391268354/package-lock.json#L737 vendor advisory exploit
https://security.snyk.io/vuln/SNYK-JS-FSEVENTS-5487987

Frequently Asked Questions

What is the severity of CVE-2023-45311?
CVE-2023-45311 has been scored as a critical severity vulnerability.
How to fix CVE-2023-45311?
To fix CVE-2023-45311, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-45311 being actively exploited in the wild?
It is possible that CVE-2023-45311 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.