First published: Thu Aug 10 2023(Updated: )
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
Credit: support@hackerone.com support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
Nodejs Node.js | >=16.0.0<=16.20.1 | |
Nodejs Node.js | >=18.0.0<=18.17.0 | |
Nodejs Node.js | >=20.0.0<=20.5.0 | |
ubuntu/nodejs | <12.22.9~dfsg-1ubuntu3.6 | 12.22.9~dfsg-1ubuntu3.6 |
ubuntu/nodejs | <18.13.0+dfsg1-1ubuntu2.3 | 18.13.0+dfsg1-1ubuntu2.3 |
debian/nodejs | <=12.22.12~dfsg-1~deb11u4 | 18.19.0+dfsg-6~deb12u2 18.19.0+dfsg-6~deb12u1 20.14.0+dfsg-3 20.15.0+dfsg-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-32559 is a privilege escalation vulnerability that exists in the experimental policy mechanism in Node.js.
CVE-2023-32559 affects all active release lines of Node.js: 16.x, 18.x, and 20.x.
CVE-2023-32559 can be exploited by using the deprecated API `process.binding()` to bypass the policy mechanism, allowing privilege escalation.
CVE-2023-32559 has a severity rating of 7.5 (high).
To fix CVE-2023-32559, update your Node.js version to the latest release in the affected release lines: 16.x, 18.x, or 20.x.