What is CVE-2023-32002?

CVE-2023-32002 is a vulnerability that allows the use of `Module._load()` to bypass the policy mechanism and require modules outside of the policy.json definition for a given module in Node.js, affecting all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and 20.x.

How does CVE-2023-32002 impact Node.js users?

CVE-2023-32002 impacts Node.js users who are using the experimental policy mechanism in active release lines 16.x, 18.x, and 20.x, by allowing the bypassing of the policy mechanism and requiring modules outside of the policy.json definition for a given module.

What is the severity of CVE-2023-32002?

The severity of CVE-2023-32002 is rated as critical with a CVSS score of 9.8.

How can I fix CVE-2023-32002 vulnerability in Node.js?

To fix the CVE-2023-32002 vulnerability in Node.js, users should update to the latest version of Node.js from the affected release lines: 16.x, 18.x, and 20.x, once a patch or new version is released by the Node.js maintainers.

Where can I find more information about CVE-2023-32002?

More information about CVE-2023-32002 can be found in the following resources: 1. [HackerOne Report](https://hackerone.com/reports/1960870) 2. [NetApp Advisory](https://security.netapp.com/advisory/ntap-20230915-0009/)

Vulnerability/
CVE-2023-32002

critical

9.8

10/8/2023

21/8/2023

1/2/2024

CVE-2023-32002

First published: Thu Aug 10 2023(Updated: )

Node.js could allow a remote attacker to bypass security restrictions, caused by the use of Module._load(). By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the permission policy mechanism.

Credit: support@hackerone.com support@hackerone.com

Affected Software	Affected Version	How to fix
Nodejs Node.js	>=16.0.0<=16.20.1
Nodejs Node.js	>=18.0.0<=18.17.0
Nodejs Node.js	>=20.0.0<=20.5.0
	<=2.0

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7096528

Frequently Asked Questions

What is CVE-2023-32002?
CVE-2023-32002 is a vulnerability that allows the use of `Module._load()` to bypass the policy mechanism and require modules outside of the policy.json definition for a given module in Node.js, affecting all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and 20.x.
How does CVE-2023-32002 impact Node.js users?
CVE-2023-32002 impacts Node.js users who are using the experimental policy mechanism in active release lines 16.x, 18.x, and 20.x, by allowing the bypassing of the policy mechanism and requiring modules outside of the policy.json definition for a given module.
What is the severity of CVE-2023-32002?
The severity of CVE-2023-32002 is rated as critical with a CVSS score of 9.8.
How can I fix CVE-2023-32002 vulnerability in Node.js?
To fix the CVE-2023-32002 vulnerability in Node.js, users should update to the latest version of Node.js from the affected release lines: 16.x, 18.x, and 20.x, once a patch or new version is released by the Node.js maintainers.
Where can I find more information about CVE-2023-32002?
More information about CVE-2023-32002 can be found in the following resources: 1. [HackerOne Report](https://hackerone.com/reports/1960870) 2. [NetApp Advisory](https://security.netapp.com/advisory/ntap-20230915-0009/)

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/severity
agent/softwarecombine
agent/tags
agent/type
collector/ibm-support
source/IBM
agent/software-canonical-lookup
collector/nvd-api
collector/nvd-index
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2023-32002
vendor/ibm
canonical/ibm planning analytics
version/ibm planning analytics/2.0
vendor/nodejs
canonical/nodejs node.js
version/nodejs node.js/16.0.0
version/nodejs node.js/16.20.1
version/nodejs node.js/18.0.0
version/nodejs node.js/18.17.0
version/nodejs node.js/20.0.0
version/nodejs node.js/20.5.0