CVE-2023-23918

Name of the Vulnerable Software and Affected Versions Node.js versions prior to 19.6.1 Node.js versions prior to 18.14.1 Node.js versions prior to 16.19.1 Node.js versions prior to 14.21.3

Description A privilege escalation issue exists, related to errors in authorization. This issue can be exploited by a remote attacker to elevate their privileges. The vulnerability allows bypassing the experimental Permissions feature in Node.js, enabling access to non-authorized modules using process.mainModule.require(). This affects users who have enabled the experimental permissions option with --experimental-policy.

Recommendations For versions prior to 19.6.1, update to version 19.6.1 or later. For versions prior to 18.14.1, update to version 18.14.1 or later. For versions prior to 16.19.1, update to version 16.19.1 or later. For versions prior to 14.21.3, update to version 14.21.3 or later. As a temporary workaround, consider disabling the process.mainModule.require() function until a patch is available. Restrict access to non-authorized modules to minimize the risk of exploitation. Avoid using the experimental permissions option with --experimental-policy until the issue is resolved.