PT-2023-4548 · Node.Js+10 · Node.Js+10

Axel Chong

·

Published

2023-08-09

·

Updated

2025-05-08

·

CVE-2023-32006

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Node.js versions 16.x through 20.x
Description The issue is related to the use of module.constructor.createRequire(), which can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This affects all users using the experimental policy mechanism in the mentioned release lines. The policy is an experimental feature of Node.js.
Recommendations For Node.js versions 16.x through 20.x, consider disabling the use of module.constructor.createRequire() until a patch is available to prevent bypassing the policy mechanism. Restrict access to modules outside of the policy.json definition to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Protection Mechanism Failure

Weakness Enumeration

CWE-693CWE-264

Related Identifiers

ALSA-2023:5360
ALSA-2023:5362
ALSA-2023:5363
ALSA-2023:5532
ALT-PU-2023-6858
ALT-PU-2024-14696
ALT-PU-2025-2007
ALT-PU-2025-2047
AZL-27926
AZL-27941
BDU:2023-04954
BIT-NODE-2023-32006
BIT-NODE-MIN-2023-32006
CESA-2023_5360
CESA-2023_5362
CVE-2023-32006
DSA-5589-1
MGASA-2023-0264
OESA-2023-1551
OPENSUSE-SU-2023_3378-1
OPENSUSE-SU-2023_3379-1
OPENSUSE-SU-2023_3408-1
OPENSUSE-SU-2023_3455-1
OPENSUSE-SU-2024:13117-1
RHSA-2023:5360
RHSA-2023:5361
RHSA-2023:5362
RHSA-2023:5363
RHSA-2023:5532
RHSA-2023:5533
RHSA-2023_5360
RHSA-2023_5362
RHSA-2023_5363
RHSA-2023_5532
RLSA-2023:5363
RLSA-2023:5532
SUSE-SU-2023:3306-1
SUSE-SU-2023:3355-1
SUSE-SU-2023:3356-1
SUSE-SU-2023:3378-1
SUSE-SU-2023:3379-1
SUSE-SU-2023:3400-1
SUSE-SU-2023:3408-1
SUSE-SU-2023:3455-1
USN-6822-1

Affected Products

Alt Linux
Almalinux
Centos
Debian
Linuxmint
Node.Js
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu