{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-32002", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2023-05-01T01:00:12.220Z", "datePublished": "2023-08-21T16:52:42.147Z", "dateUpdated": "2025-07-02T14:48:45.647Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\n\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.\n\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js."}], "affected": [{"product": "Node", "vendor": "NodeJS", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "4.0", "status": "affected", "lessThan": "4.*"}, {"versionType": "semver", "version": "5.0", "status": "affected", "lessThan": "5.*"}, {"versionType": "semver", "version": "6.0", "status": "affected", "lessThan": "6.*"}, {"versionType": "semver", "version": "7.0", "status": "affected", "lessThan": "7.*"}, {"versionType": "semver", "version": "8.0", "status": "affected", "lessThan": "8.*"}, {"versionType": "semver", "version": "9.0", "status": "affected", "lessThan": "9.*"}, {"versionType": "semver", "version": "10.0", "status": "affected", "lessThan": "10.*"}, {"versionType": "semver", "version": "11.0", "status": "affected", "lessThan": "11.*"}, {"versionType": "semver", "version": "12.0", "status": "affected", "lessThan": "12.*"}, {"versionType": "semver", "version": "13.0", "status": "affected", "lessThan": "13.*"}, {"versionType": "semver", "version": "14.0", "status": "affected", "lessThan": "14.*"}, {"versionType": "semver", "version": "15.0", "status": "affected", "lessThan": "15.*"}, {"versionType": "semver", "version": "16.0", "status": "affected", "lessThan": "16.20.2"}, {"versionType": "semver", "version": "17.0", "status": "affected", "lessThan": "17.*"}, {"versionType": "semver", "version": "18.0", "status": "affected", "lessThan": "18.17.1"}, {"versionType": "semver", "version": "19.0", "status": "affected", "lessThan": "19.*"}, {"versionType": "semver", "version": "20.0", "status": "affected", "lessThan": "20.5.1"}]}], "references": [{"url": "https://hackerone.com/reports/1960870"}, {"url": "https://security.netapp.com/advisory/ntap-20230915-0009/"}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2025-04-30T22:24:58.483Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:03:28.656Z"}, "title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/1960870", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230915-0009/", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-288", "lang": "en", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "affected": [{"vendor": "nodejs", "product": "nodejs", "cpes": ["cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "16.20.1", "versionType": "semver"}, {"version": "0", "status": "affected", "lessThanOrEqual": "18.17.0", "versionType": "semver"}, {"version": "0", "status": "affected", "lessThanOrEqual": "20.5.0", "versionType": "semver"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-07-02T14:47:51.674813Z", "id": "CVE-2023-32002", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T14:48:45.647Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/1960870", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230915-0009/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:03:28.656Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-32002", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-02T14:47:51.674813Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:*"], "vendor": "nodejs", "product": "nodejs", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "16.20.1"}, {"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "18.17.0"}, {"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "20.5.0"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-04T17:44:51.760Z"}}], "cna": {"affected": [{"vendor": "NodeJS", "product": "Node", "versions": [{"status": "affected", "version": "4.0", "lessThan": "4.*", "versionType": "semver"}, {"status": "affected", "version": "5.0", "lessThan": "5.*", "versionType": "semver"}, {"status": "affected", "version": "6.0", "lessThan": "6.*", "versionType": "semver"}, {"status": "affected", "version": "7.0", "lessThan": "7.*", "versionType": "semver"}, {"status": "affected", "version": "8.0", "lessThan": "8.*", "versionType": "semver"}, {"status": "affected", "version": "9.0", "lessThan": "9.*", "versionType": "semver"}, {"status": "affected", "version": "10.0", "lessThan": "10.*", "versionType": "semver"}, {"status": "affected", "version": "11.0", "lessThan": "11.*", "versionType": "semver"}, {"status": "affected", "version": "12.0", "lessThan": "12.*", "versionType": "semver"}, {"status": "affected", "version": "13.0", "lessThan": "13.*", "versionType": "semver"}, {"status": "affected", "version": "14.0", "lessThan": "14.*", "versionType": "semver"}, {"status": "affected", "version": "15.0", "lessThan": "15.*", "versionType": "semver"}, {"status": "affected", "version": "16.0", "lessThan": "16.20.2", "versionType": "semver"}, {"status": "affected", "version": "17.0", "lessThan": "17.*", "versionType": "semver"}, {"status": "affected", "version": "18.0", "lessThan": "18.17.1", "versionType": "semver"}, {"status": "affected", "version": "19.0", "lessThan": "19.*", "versionType": "semver"}, {"status": "affected", "version": "20.0", "lessThan": "20.5.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://hackerone.com/reports/1960870"}, {"url": "https://security.netapp.com/advisory/ntap-20230915-0009/"}], "descriptions": [{"lang": "en", "value": "The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\n\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.\n\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2025-04-30T22:24:58.483Z"}}}, "cveMetadata": {"cveId": "CVE-2023-32002", "state": "PUBLISHED", "dateUpdated": "2025-07-02T14:48:45.647Z", "dateReserved": "2023-05-01T01:00:12.220Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2023-08-21T16:52:42.147Z", "assignerShortName": "hackerone"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*", "matchCriteriaId": "F75B0DBB-A86A-4F14-8F4E-63ABA2DF1F35", "versionEndIncluding": "16.20.1", "versionStartIncluding": "16.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*", "matchCriteriaId": "686E16B9-C6B9-4EF8-9B0F-913203469EF8", "versionEndIncluding": "18.17.0", "versionStartIncluding": "18.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*", "matchCriteriaId": "15EAF008-AA6F-4A70-9FFA-F4EE4DE53E44", "versionEndIncluding": "20.5.0", "versionStartIncluding": "20.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\n\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.\n\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js."}, {"lang": "es", "value": "El uso de 'Module._load()' puede omitir el mecanismo de pol\u00edticas y requerir m\u00f3dulos fuera de la definici\u00f3n policy.json para un m\u00f3dulo determinado. Esta vulnerabilidad afecta a todos los usuarios que utilizan el mecanismo de directiva experimental en todas las l\u00edneas de versi\u00f3n activas: 16.x, 18.x y 20.x. Tenga en cuenta que en el momento en que se emiti\u00f3 este CVE, la pol\u00edtica es una caracter\u00edstica experimental de Node.js."}], "id": "CVE-2023-32002", "lastModified": "2025-07-02T15:15:23.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-08-21T17:15:47.000", "references": [{"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://hackerone.com/reports/1960870"}, {"source": "support@hackerone.com", "url": "https://security.netapp.com/advisory/ntap-20230915-0009/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://hackerone.com/reports/1960870"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20230915-0009/"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-288"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:5360", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:16-8080020230906092006.63b34585", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-09-26T00:00:00Z"}, {"advisory": "RHSA-2023:5362", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:18-8080020230825111344.63b34585", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-09-26T00:00:00Z"}, {"advisory": "RHSA-2023:5361", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "nodejs:16-8060020230906023909.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-09-26T00:00:00Z"}, {"advisory": "RHSA-2023:5363", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs:18-9020020230825081254.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-09-26T00:00:00Z"}, {"advisory": "RHSA-2023:5532", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs-1:16.20.2-1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-10-09T00:00:00Z"}, {"advisory": "RHSA-2023:5533", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "nodejs-1:16.20.2-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-10-09T00:00:00Z"}], "bugzilla": {"description": "nodejs: Permissions policies can be bypassed via Module._load", "id": "2230948", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2230948"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-213->CWE-1268", "details": ["The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js.", "A vulnerability was found in NodeJS. This security issue occurs as the use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-32002", "package_state": [{"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nodejs14-nodejs", "product_name": "Red Hat Software Collections"}], "public_date": "2023-08-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-32002\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-32002\nhttps://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-module_load-highcve-2023-32002"], "statement": "This vulnerability is rated Important instead of Critical because it only impacts users of the policy mechanism that must be explicitly enabled using the `--experimental-policy` flag. This is not enabled by default.\nRed Hat's Secure Software Development Life Cycle utilizes a layered testing approach. This significantly increases attack complexity, because a compromised package must remain undetected for months to years in testing in upstream communities before it could be adopted into a Red Hat product. This long dwell-time reduces impact to Important.", "threat_severity": "Important"}