← Back

CVE-2023-32006

nvd nist
Published: Aug 15, 2023Modified: May 8, 2025

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Affected (5)

Nodejs
1 product
Node.js
Fedoraproject
1 product
Fedora
Configuration A
3 vulnerable
Vulnerable SoftwareAffected Versions
Nodejs
Node.js
From 16.0.0 to 16.20.1
Node.js
From 18.0.0 to 18.17.0
Node.js
From 20.0.0 to 20.5.0
Configuration B
2 vulnerable
Vulnerable SoftwareAffected Versions
Fedoraproject
Fedora
Version 37
Fedora
Version 38

Related CWEs

CWE-693
Protection Mechanism Failure
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

References (8)

Source: support@hackerone.com
Issue Tracking
Source: support@hackerone.com
Mailing List
Source: support@hackerone.com
Mailing List
Source: support@hackerone.com
Source: af854a3a-2127-422b-91ae-364da2661108
Issue Tracking
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.