Integrity Check Vulnerability in Node.js by Node.js Foundation
CVE-2023-38552

7.5HIGH

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 18 October 2023

What is CVE-2023-38552?

A vulnerability exists in the Node.js experimental policy mechanism that allows an application to intercept integrity checks. By returning a forged checksum, the application can bypass the safeguard provided by the trusted manifest, undermining the reliability of the integrity verification. This affects all users of the policy mechanism within the versions 18.x and 20.x, which may expose software to potential security risks due to compromised integrity checks.

Affected Version(s)

Node 4.0 < 4.*

Node 5.0 < 5.*

Node 6.0 < 6.*

References

https://hackerone.com/reports/2094235

https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 18, 2023
Vulnerability Reserved
Jul 20, 2023

Nodejs

What is CVE-2023-38552?

Affected Version(s)

References

CVSS V3.1

Timeline