CVE-2023-23918

CWE-863Incorrect Authorization7 documents7 sources
Severity
7.5HIGH
EPSS
0.0%
top 94.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nodejs NodeNodejs Node.js
Timeline
PublishedFeb 23

Description

A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5nodejs/node4.04.*+15
NVDnodejs/node.js14.0.014.21.3+6
Debiannodejs< 18.19.0+dfsg-6~deb12u1+2

Patches

Patch: nodejs.orgPatch: nodejs.org

🔴Vulnerability Details

3
OSV
CVE-2023-23918: A privilege escalation vulnerability exists in Node2023-02-23
GHSA
GHSA-33p5-m25c-cp6w: A privilege escalation vulnerability exists in Node2023-02-23
CVEList
CVE-2023-23918: A privilege escalation vulnerability exists in Node2023-02-23

📋Vendor Advisories

3
Red Hat
Node.js: Permissions policies can be bypassed via process.mainModule2023-02-16
Microsoft
A privilege escalation vulnerability exists in Node.js <19.6.1 <18.14.1 <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) fea2023-02-14
Debian
CVE-2023-23918: nodejs - A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19...2023
CVE-2023-23918 (HIGH CVSS 7.5) | A privilege escalation vulnerabilit | cvebase.io