CVE-2023-32006

CWE-693CWE-21310 documents8 sources
Severity
8.8HIGH
EPSS
0.1%
top 77.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Nodejs NodeNodejs Node.jsFedoraproject Fedora
Timeline
PublishedAug 15
Latest updateJun 10

Description

The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

CVEListV5nodejs/node4.04.*+16
Alpinenodejs< 16.20.2-r0+8
Debiannodejs< 18.19.0+dfsg-6~deb12u1+2
Ubuntunodejs< 12.22.9~dfsg-1ubuntu3.6
NVDnodejs/node.js16.0.016.20.1+2

Also affects: Fedora 37, 38

🔴Vulnerability Details

5
OSV
nodejs vulnerabilities2024-06-10
GHSA
GHSA-356r-x8g9-vh8c: The use of `module2023-08-15
OSV
CVE-2023-32006: The use of `module2023-08-15
CVEList
CVE-2023-32006: The use of `module2023-08-15
OSV
CVE-2023-32006: The use of `module2023-08-15

📋Vendor Advisories

4
Ubuntu
Node.js vulnerabilities2024-06-10
Red Hat
nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire()2023-08-09
Microsoft
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users usin2023-08-08
Debian
CVE-2023-32006: nodejs - The use of `module.constructor.createRequire()` can bypass the policy mechanism ...2023
CVE-2023-32006 (HIGH CVSS 8.8) | The use of `module.constructor.crea | cvebase.io