The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
Metrics
Affected Vendors & Products
References
History
Mon, 07 Oct 2024 19:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Nodejs nodejs
|
|
Weaknesses | CWE-288 | |
CPEs | cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:* | |
Vendors & Products |
Nodejs nodejs
|
|
Metrics |
ssvc
|
MITRE
Status: PUBLISHED
Assigner: hackerone
Published: 2023-08-21T16:52:42.147Z
Updated: 2024-10-04T17:44:59.121Z
Reserved: 2023-05-01T01:00:12.220Z
Link: CVE-2023-32002
Vulnrichment
Updated: 2024-08-02T15:03:28.656Z
NVD
Status : Modified
Published: 2023-08-21T17:15:47.000
Modified: 2024-11-21T08:02:30.353
Link: CVE-2023-32002
Redhat