CVE-2023-23918

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-23918
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-23918.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-23918
Aliases
Downstream
Related
Published
2023-02-23T20:15:13.920Z
Modified
2026-03-14T12:03:25.979Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.

References

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type
GIT
Repo
https://github.com/nodejs/node
Events
Introduced
73aa21658dfa6a22c06451d080152b32b1f98dbe
Last affected
354b6a93bd1d66f1833489d6fe01a2b0e8f6aff9
Introduced
73aa21658dfa6a22c06451d080152b32b1f98dbe
Fixed
edd64fe5ba20c6c2f53720c672c591f09d9d4ac0
Introduced
7162e686b18d22b4385fa5c04274fb04dbd810c7
Last affected
49415500bb1bf51a1fade5ea2d03f3988ecabc25
Introduced
7162e686b18d22b4385fa5c04274fb04dbd810c7
Fixed
96a4559f259f109a2abc480caeba12644b8a8fd1
Introduced
49a77a5a996a49e8cb728eed42e55a7c1a9eef6e
Last affected
8c1dd95f3cc5d91acb9ce8994b3ac45ab927178f
Introduced
49a77a5a996a49e8cb728eed42e55a7c1a9eef6e
Fixed
7bc2cf7fa9a2016fadb27e042968a69297bd975e
Introduced
cc993fb2760d01457955f5b9ff787d559ed1c34e
Fixed
a9d1e5059f9cc63cafc8e786a7b6332aa7ab3b2b
Database specific 
{
    "versions": [
        {
            "introduced": "14.0.0"
        },
        {
            "last_affected": "14.14.0"
        },
        {
            "introduced": "14.0.0"
        },
        {
            "fixed": "14.21.3"
        },
        {
            "introduced": "16.0.0"
        },
        {
            "last_affected": "16.12.0"
        },
        {
            "introduced": "16.0.0"
        },
        {
            "fixed": "16.19.1"
        },
        {
            "introduced": "18.0.0"
        },
        {
            "last_affected": "18.11.0"
        },
        {
            "introduced": "18.0.0"
        },
        {
            "fixed": "18.14.1"
        },
        {
            "introduced": "19.0.0"
        },
        {
            "fixed": "19.6.1"
        }
    ]
}

Affected versions

v14.*
v14.0.0
v14.1.0
v14.10.0
v14.10.1
v14.11.0
v14.12.0
v14.13.0
v14.13.1
v14.14.0
v14.15.0
v14.15.1
v14.15.2
v14.15.3
v14.15.4
v14.15.5
v14.16.0
v14.16.1
v14.17.0
v14.17.1
v14.17.2
v14.17.3
v14.17.4
v14.17.5
v14.17.6
v14.18.0
v14.18.1
v14.18.2
v14.18.3
v14.19.0
v14.19.1
v14.19.2
v14.19.3
v14.2.0
v14.20.0
v14.20.1
v14.21.0
v14.21.1
v14.21.2
v14.3.0
v14.4.0
v14.5.0
v14.6.0
v14.7.0
v14.8.0
v14.9.0
v16.*
v16.0.0
v16.1.0
v16.10.0
v16.11.0
v16.11.1
v16.12.0
v16.13.0
v16.13.1
v16.13.2
v16.14.0
v16.14.1
v16.14.2
v16.15.0
v16.15.1
v16.16.0
v16.17.0
v16.17.1
v16.18.0
v16.18.1
v16.19.0
v16.2.0
v16.3.0
v16.4.0
v16.4.1
v16.4.2
v16.5.0
v16.6.0
v16.6.1
v16.6.2
v16.7.0
v16.8.0
v16.9.0
v16.9.1
v18.*
v18.0.0
v18.1.0
v18.10.0
v18.11.0
v18.12.0
v18.12.1
v18.13.0
v18.14.0
v18.2.0
v18.3.0
v18.4.0
v18.5.0
v18.6.0
v18.7.0
v18.8.0
v18.9.0
v18.9.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-23918.json"