CVE-2023-32559: A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated…

high7.5CVSS 3.1

AVNACHPRLUINSUCHIHAH

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Affected

28 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	nodejs	< nodejs 18.19.0+dfsg-6~deb12u1 (bookworm)	nodejs 18.19.0+dfsg-6~deb12u1 (bookworm)
msrc	cbl2_nodejs18_18.17.1-2_on_cbl_mariner_2.0	—	—
msrc	cbl2_nodejs_16.20.2-2_on_cbl_mariner_2.0	—	—
nodejs	node	>= 10.0 < 10.*	10.*
nodejs	node	>= 11.0 < 11.*	11.*
nodejs	node	>= 12.0 < 12.*	12.*
nodejs	node	>= 13.0 < 13.*	13.*
nodejs	node	>= 14.0 < 14.*	14.*
nodejs	node	>= 15.0 < 15.*	15.*
nodejs	node	>= 16.0 < 16.20.2	16.20.2
nodejs	node	>= 17.0 < 17.*	17.*
nodejs	node	>= 18.0 < 18.17.1	18.17.1
nodejs	node	>= 19.0 < 19.*	19.*
nodejs	node	>= 20.0 < 20.5.1	20.5.1
nodejs	node	>= 4.0 < 4.*	4.*
nodejs	node	>= 5.0 < 5.*	5.*
nodejs	node	>= 6.0 < 6.*	6.*
nodejs	node	>= 7.0 < 7.*	7.*
nodejs	node	>= 8.0 < 8.*	8.*
nodejs	node	>= 9.0 < 9.*	9.*
nodejs	node.js	16.0.0 – 16.20.1	—
nodejs	node.js	18.0.0 – 18.17.0	—
nodejs	node.js	20.0.0 – 20.5.0	—
nodejs	nodejs	>= 0 < 12.22.12~dfsg-1~deb11u5	12.22.12~dfsg-1~deb11u5
nodejs	nodejs	>= 0 < 18.19.0+dfsg-6~deb12u1	18.19.0+dfsg-6~deb12u1

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

osv9.8CRITICAL