CVE-2022-32223

Name of the Vulnerable Software and Affected Versions Node.js versions prior to the fixed version

Description The issue is related to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms. This can be exploited if the victim has specific dependencies on a Windows machine, including the installation of OpenSSL and the existence of "C:Program FilesCommon FilesSSLopenssl.cnf". The node.exe will search for providers.dll in the current user directory and then by the DLL Search Order in Windows, allowing an attacker to place a malicious providers.dll file under various paths and exploit this issue.

Recommendations As a temporary workaround, consider disabling the loading of providers.dll until a patch is available. Restrict access to the node.exe to minimize the risk of exploitation. Avoid using the node.exe with the affected dependencies until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.