First published: Thu Aug 10 2023(Updated: )
Node.js could allow a remote attacker to bypass security restrictions, caused by the use of Module._load(). By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the permission policy mechanism.
Credit: support@hackerone.com support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
Nodejs Node.js | >=16.0.0<=16.20.1 | |
Nodejs Node.js | >=18.0.0<=18.17.0 | |
Nodejs Node.js | >=20.0.0<=20.5.0 | |
IBM Planning Analytics | <=2.0 | |
ubuntu/nodejs | <12.22.9~dfsg-1ubuntu3.6 | 12.22.9~dfsg-1ubuntu3.6 |
ubuntu/nodejs | <18.13.0+dfsg1-1ubuntu2.3 | 18.13.0+dfsg1-1ubuntu2.3 |
debian/nodejs | <=12.22.12~dfsg-1~deb11u4 | 18.19.0+dfsg-6~deb12u2 18.19.0+dfsg-6~deb12u1 20.14.0+dfsg-3 20.15.0+dfsg-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-32002 is a vulnerability that allows the use of `Module._load()` to bypass the policy mechanism and require modules outside of the policy.json definition for a given module in Node.js, affecting all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and 20.x.
CVE-2023-32002 impacts Node.js users who are using the experimental policy mechanism in active release lines 16.x, 18.x, and 20.x, by allowing the bypassing of the policy mechanism and requiring modules outside of the policy.json definition for a given module.
The severity of CVE-2023-32002 is rated as critical with a CVSS score of 9.8.
To fix the CVE-2023-32002 vulnerability in Node.js, users should update to the latest version of Node.js from the affected release lines: 16.x, 18.x, and 20.x, once a patch or new version is released by the Node.js maintainers.
More information about CVE-2023-32002 can be found in the following resources: 1. [HackerOne Report](https://hackerone.com/reports/1960870) 2. [NetApp Advisory](https://security.netapp.com/advisory/ntap-20230915-0009/)