Safeguard
Vulnerabilities

Notable CVEs of 2023: A Practitioner's Roundup

From an OpenSSL IV-truncation flaw to a critical Babel code-execution bug, 2023's CVE crop is a good reminder that severity and blast radius don't always line up.

Safeguard Research Team
Research
6 min read

CVE-2023-5363 is a good starting point for a 2023 retrospective because it's exactly the kind of finding that's easy to underrate: an OpenSSL flaw in how key and IV lengths are processed during symmetric cipher initialization, disclosed in October, that quietly undermined confidentiality guarantees in specific authenticated encryption modes without ever making front-page news. 2023 produced plenty of headline vulnerabilities, but the ones worth remembering a year later are often the quieter library-level bugs that ended up in thousands of dependency trees. This roundup covers the disclosures that practitioners should still recognize on sight.

What happened with the OpenSSL IV-truncation bug?

CVE-2023-5363 affected OpenSSL 3.0 and 3.1 and stemmed from a subtle ordering problem: when applications called EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2(), or EVP_CipherInit_ex2(), the OSSL_PARAM array carrying key and IV length adjustments was processed after the key and IV had already been established, so changes to those lengths silently failed to take effect. For ciphers like CCM, GCM, and OCB, where IV uniqueness is load-bearing for confidentiality, truncated IVs created a real risk of plaintext recovery or forged authenticated messages under reuse. OpenSSL shipped fixes in 3.0.12 and 3.1.4, and because OpenSSL underpins an enormous share of TLS and cryptographic tooling across the ecosystem, this was one of the higher-leverage library fixes of the year despite a comparatively modest 7.5 CVSS score.

Which JavaScript and Node ecosystem CVEs mattered?

Two disclosures stood out here. CVE-2023-45857 affected Axios versions 0.8.1 through 1.5.1: when withCredentials was enabled, Axios's XSRF-TOKEN cookie handling logic effectively bypassed a same-origin check and forwarded the token in the X-XSRF-TOKEN header to any destination host, not just the originating site, creating a real information-disclosure and CSRF risk for applications that relied on the token staying scoped to same-origin requests. Separately, CVE-2023-45133 hit the JavaScript build toolchain rather than a runtime library: a critical arbitrary code execution flaw in @babel/traverse before 7.23.2, triggered when Babel compiled specifically crafted malicious code using plugins that relied on the internal path.evaluate() method — affecting @babel/plugin-transform-runtime, @babel/preset-env's useBuiltIns option, and several polyfill provider plugins. The 9.3 CVSS score reflected the severity, though the practical exposure was narrower than the score alone suggests, since it required compiling attacker-controlled source rather than a purely remote network attack path.

What went wrong in Java and Spring-adjacent tooling?

CVE-2023-1370 hit net.minidev:json-smart, a widely embedded JSON parsing library, with an uncontrolled-recursion denial of service: the parser had no depth limit on nested arrays or objects, so a deeply nested payload could exhaust the JVM's stack and crash the parsing thread with no authentication required. CVE-2023-34034 was a more serious Spring Security issue: using ** as a WebFlux path pattern created a mismatch between how Spring Security and Spring WebFlux each interpreted the wildcard, so a pattern like pathMatchers("admin/**") without a leading slash could be bypassed entirely, letting unauthenticated requests reach routes meant to be protected. Its 9.8 CVSS score was earned — this was a genuine authentication bypass, not a theoretical edge case, and it pushed a lot of Spring Security upgrades that quarter.

What about the Apache Tomcat and Dromara findings?

Tomcat had two notable 2023 disclosures. CVE-2023-46589 was an HTTP request-smuggling flaw caused by incorrect parsing of oversized chunked-transfer trailer headers, letting a single request be misinterpreted as multiple requests when Tomcat sat behind a reverse proxy — a classic smuggling setup that can bypass front-end security controls and enable cache poisoning or session hijacking. CVE-2023-41080 was a lower-severity but still practically relevant open redirect in Tomcat's FORM authentication handling, where a crafted saved-request URL could resolve to a protocol-relative external address like //evil.com. Outside Tomcat itself, CVE-2023-44794 was a critical (9.8 CVSS) privilege escalation in Dromara Sa-Token before 1.36.0, caused by a path-normalization mismatch between Sa-Token and Spring that let crafted URLs bypass route-based authentication checks entirely.

Did anything notable land in libxml2 or VMware/Spring Boot?

CVE-2023-29469 was a double-free vulnerability in libxml2 before 2.10.4, rooted in the xmlDictComputeFastKey function producing non-deterministic hash values for empty dictionary strings in crafted XML — a memory-corruption bug with real denial-of-service impact given how broadly libxml2 is embedded across Linux and application toolchains. And CVE-2023-20873 was a critical authentication bypass in Spring Boot applications deployed to Cloud Foundry, affecting Spring Boot 3.0.0-3.0.5 and 2.7.0-2.7.10, where a specially crafted request could achieve a full security bypass on network-exposed deployments — another entry in 2023's uncomfortably long list of Spring ecosystem authentication-bypass bugs. Finally, CVE-2023-34462 rounded out the year's denial-of-service crop: a Netty SniHandler flaw that allowed up to 16MB of heap allocation per connection during TLS handshake parsing of a crafted ClientHello, fixed in Netty 4.1.94.Final with an added maxClientHelloLength guard.

What's the practical takeaway from 2023's disclosures?

The common thread across this list isn't a single root cause — it spans crypto library logic, wildcard path-matching mismatches, unbounded recursion, and header parsing edge cases. What they share is depth of embedding: OpenSSL, Axios, Babel, json-smart, Tomcat, and libxml2 all sit deep enough in dependency trees that a single fix has to propagate through thousands of downstream projects before it's actually resolved everywhere. That propagation lag is exactly what continuous SCA scanning is built to catch — flagging a vulnerable transitive dependency the moment a database update lands, rather than waiting for a manual audit to notice.

FAQ

What is CVE-2023-5363?

CVE-2023-5363 is an OpenSSL vulnerability in how key and IV lengths are processed during cipher initialization, which could cause IV truncation and undermine confidentiality in authenticated encryption modes like GCM and CCM in OpenSSL 3.0 and 3.1.

Was CVE-2023-34034 actually exploitable?

Yes — it was a genuine Spring Security WebFlux authentication bypass affecting any configuration using an un-prefixed ** wildcard pattern, and it carried a 9.8 CVSS score reflecting real unauthenticated access risk.

Which 2023 CVE affected the JavaScript build toolchain rather than a runtime library?

CVE-2023-45133 affected @babel/traverse, enabling arbitrary code execution when Babel compiled specifically crafted malicious source using certain plugins.

Why do library-level CVEs like these matter more than their CVSS score alone suggests?

Because libraries like OpenSSL, Axios, and libxml2 are embedded across huge numbers of downstream projects, a single fix can take months to fully propagate, making transitive dependency monitoring essential.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.