CVE-2023-30581

CVSS v3.1 7.5 (High)

EPSS 0.05 % (23^th)

Affected Products 1

Advisories 26

The use of proto in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20.

Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

Weaknesses

CWE-NVD-noinfo

CVE Status: PUBLISHED
CNA: HackerOne
Published Date: 2023-11-23 00:15:07
(10 months ago)
Updated Date: 2023-12-11 20:49:02
(9 months ago)

Affected Products

Nodejs

Node.js

Configuration #1

	CPE23	From	Up To
Nodejs Node.js from 16.0.0 version and prior 16.20.1 version	cpe:2.3:a:nodejs:node.js::::*:-	>= 16.0.0	< 16.20.1
Nodejs Node.js from 18.0.0 version and prior 18.16.1 version	cpe:2.3:a:nodejs:node.js::::*:-	>= 18.0.0	< 18.16.1
Nodejs Node.js from 20.0.0 version and prior 20.3.1 version	cpe:2.3:a:nodejs:node.js::::*:-	>= 20.0.0	< 20.3.1