CVE-2023-32006

CVSS v3.1 8.8 (High)

EPSS 0.14 % (51^th)

Affected Products 2

Advisories 27

The use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.

This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x.

Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Weaknesses

CWE-NVD-noinfo

CVE Status: PUBLISHED
CNA: HackerOne
Published Date: 2023-08-15 16:15:11
(13 months ago)
Updated Date: 2023-09-15 14:15:10
(12 months ago)

Affected Products

Fedoraproject

Fedora

Nodejs

Node.js

Configuration #1

	CPE23	From	Up To
Nodejs Node.js from 16.0.0 version and 16.20.1 and prior versions	cpe:2.3:a:nodejs:node.js::::*:-	>= 16.0.0	<= 16.20.1
Nodejs Node.js from 18.0.0 version and 18.17.0 and prior versions	cpe:2.3:a:nodejs:node.js::::*:-	>= 18.0.0	<= 18.17.0
Nodejs Node.js from 20.0.0 version and 20.5.0 and prior versions	cpe:2.3:a:nodejs:node.js::::*:-	>= 20.0.0	<= 20.5.0

Configuration #2

		CPE23	From	Up To
	Fedoraproject Fedora 37	cpe:2.3:o:fedoraproject:fedora:37
	Fedoraproject Fedora 38	cpe:2.3:o:fedoraproject:fedora:38