Bypass Policy Mechanism in Node.js Affecting Multiple Versions
CVE-2023-32006

8.8HIGH

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 15 August 2023

What is CVE-2023-32006?

This vulnerability arises from the module.constructor.createRequire() function, enabling unauthorized access to modules outside of the defined policy.json restrictions. It poses a risk for users leveraging the experimental policy feature in Node.js, potentially leading to unregulated module loading and other security concerns across versions 16.x, 18.x, and 20.x.

Affected Version(s)

Node 4.0 < 4.*

Node 5.0 < 5.*

Node 6.0 < 6.*

References

https://hackerone.com/reports/2043807

https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 15, 2023
Vulnerability Reserved
May 1, 2023

JSON

Nodejs

What is CVE-2023-32006?

Affected Version(s)

References

CVSS V3.1

Timeline