CVE-2023-30581

Name of the Vulnerable Software and Affected Versions Node.js versions v16, v18, and v20

Description The issue is related to the use of proto in process.mainModule. proto .require(), which can bypass the policy mechanism and allow requiring modules outside of the policy.json definition. This affects users of the experimental policy mechanism in the mentioned release lines. The policy is noted as an experimental feature of Node.js at the time of issue identification.

Recommendations For Node.js versions v16, v18, and v20, consider disabling the use of proto in process.mainModule. proto .require() as a temporary workaround until a patch is available. Restrict access to modules outside of the policy.json definition to minimize the risk of exploitation. Avoid using the experimental policy mechanism in production environments until a stable version is released. At the moment, there is no information about a newer version that contains a fix for this vulnerability.