The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20.
Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: hackerone
Published: 2023-11-22T23:28:30.768Z
Updated: 2024-08-02T14:28:51.907Z
Reserved: 2023-04-13T01:00:12.085Z
Link: CVE-2023-30581
Vulnrichment
No data.
NVD
Status : Modified
Published: 2023-11-23T00:15:07.980
Modified: 2024-11-21T08:00:27.393
Link: CVE-2023-30581
Redhat