CVE-2023-32002

CWE-288 CWE-213 CWE-126814 documents10 sources

Severity

9.8CRITICAL

EPSS

0.0%

top 87.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node Nodejs Node.js

Timeline

PublishedAug 21

Latest updateFeb 11

Description

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5nodejs/node4.0 — 4.*+16

▶Alpinenodejs< 16.20.2-r0+8

▶Debiannodejs< 18.19.0+dfsg-6~deb12u1+2

▶Ubuntunodejs< 12.22.9~dfsg-1ubuntu3.6

▶NVDnodejs/node.js16.0.0 — 16.20.1+2

🔴Vulnerability Details

OSV

git vulnerabilities↗2024-09-19

▶

OSV

nodejs vulnerabilities↗2024-06-10

▶

GHSA

GHSA-9m48-r3w4-x35v: The use of `Module↗2023-08-21

▶

OSV

CVE-2023-32002: The use of `Module↗2023-08-21

▶

OSV

CVE-2023-32002: The use of `Module↗2023-08-21

▶

📋Vendor Advisories

Microsoft

HackerOne: CVE-2023-32002 Node.js `Module._load()` policy Remote Code Execution Vulnerability↗2025-02-11

▶

Ubuntu

Node.js vulnerabilities↗2024-06-10

▶

Oracle

Oracle Oracle JD Edwards Risk Matrix: One-Click Provisioning (Node.js) — CVE-2023-32002↗2024-01-15

▶

Microsoft

CVE-2023-32002: FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One↗2023-09-12

▶

Red Hat

nodejs: Permissions policies can be bypassed via Module._load↗2023-08-09

▶

💬Community

HackerOne

Permissions policies can be bypassed via Module._load and require.extensions (High) (CVE-2023-30587)↗2023-11-30

▶