What is CVE-2023-32006?

CVE-2023-32006 refers to a vulnerability that allows the bypassing of the policy mechanism in Node.js, potentially allowing modules to be required outside of the defined policy.

Who is affected by CVE-2023-32006?

This vulnerability affects all users of Node.js who are using the experimental policy mechanism in versions 16.x, 18.x, and 20.x.

What is the severity of CVE-2023-32006?

CVE-2023-32006 has a severity rating of 8.8 (high).

How can CVE-2023-32006 be exploited?

CVE-2023-32006 can be exploited by utilizing the `module.constructor.createRequire()` function to require modules that are not defined in the policy.json file.

Are there any references for CVE-2023-32006?

Yes, you can find more information about CVE-2023-32006 at the following references: [Link1](https://hackerone.com/reports/2043807), [Link2](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQPELKG2LVTADSB7ME73AV4DXQK47PWK/), [Link3](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBOZE2QZIBLFFTYWYN23FGKN6HULZ6HX/)

Vulnerability/
CVE-2023-32006

high

8.8

10/8/2023

15/8/2023

1/2/2024

CVE-2023-32006

First published: Thu Aug 10 2023(Updated: )

Node.js could allow a remote attacker to bypass security restrictions, caused by the use of module.constructor.createRequire(). By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the permission policy mechanism.

Credit: support@hackerone.com support@hackerone.com

Affected Software	Affected Version	How to fix
Nodejs Node.js	>=16.0.0<=16.20.1
Nodejs Node.js	>=18.0.0<=18.17.0
Nodejs Node.js	>=20.0.0<=20.5.0
Fedoraproject Fedora	=37
Fedoraproject Fedora	=38

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7096365

Frequently Asked Questions

What is CVE-2023-32006?
CVE-2023-32006 refers to a vulnerability that allows the bypassing of the policy mechanism in Node.js, potentially allowing modules to be required outside of the defined policy.
Who is affected by CVE-2023-32006?
This vulnerability affects all users of Node.js who are using the experimental policy mechanism in versions 16.x, 18.x, and 20.x.
What is the severity of CVE-2023-32006?
CVE-2023-32006 has a severity rating of 8.8 (high).
How can CVE-2023-32006 be exploited?
CVE-2023-32006 can be exploited by utilizing the `module.constructor.createRequire()` function to require modules that are not defined in the policy.json file.
Are there any references for CVE-2023-32006?
Yes, you can find more information about CVE-2023-32006 at the following references: [Link1](https://hackerone.com/reports/2043807), [Link2](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQPELKG2LVTADSB7ME73AV4DXQK47PWK/), [Link3](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBOZE2QZIBLFFTYWYN23FGKN6HULZ6HX/)

collector/redhat-bugzilla
source/Red Hat
alias/CVE-2023-32006
collector/nvd-api
collector/nvd-index
collector/ibm-support
source/IBM
agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/severity
agent/softwarecombine
agent/tags
agent/type
vendor/nodejs
canonical/nodejs node.js
version/nodejs node.js/16.0.0
version/nodejs node.js/16.20.1
version/nodejs node.js/18.0.0
version/nodejs node.js/18.17.0
version/nodejs node.js/20.0.0
version/nodejs node.js/20.5.0
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/37
version/fedoraproject fedora/38