CVE-2023-32559

Name of the Vulnerable Software and Affected Versions Node.js versions 16.x through 20.x

Description A privilege escalation issue exists in the experimental policy mechanism due to inadequate access controls. This can be exploited by a remote attacker to bypass existing security restrictions. The use of the deprecated API process.binding() can bypass the policy mechanism, allowing an attacker to require internal modules and eventually execute arbitrary code outside of the limits defined in a policy.json file. The policy is an experimental feature of Node.js.

Recommendations For Node.js versions 16.x through 20.x, consider disabling the use of the deprecated API process.binding() as a temporary workaround until a patch is available. Restrict access to internal modules to minimize the risk of exploitation. Avoid using process.binding('spawn sync') in sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.