CVE-2023-30581

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-30581

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-30581.json

Aliases

BIT-node-2023-30581

Related

Published

2023-11-23T00:15:07Z

Modified

2024-05-14T12:54:58.607454Z

Summary

[none]

Details

The use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20.

Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

References

https://nodejs.org/en/blog/vulnerability/june-2023-security-releases

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type: GIT
Repo: https://github.com/nodejs/node
Events: Introduced

49a77a5a996a49e8cb728eed42e55a7c1a9eef6e

Introduced

7162e686b18d22b4385fa5c04274fb04dbd810c7

Introduced

e7618fb5a5fc25d76b6474e2a6607f04fd6f10e0

Fixed

9869bdc93d7bd8b439c4a2598607ee779483ee53

Affected versions

v20.*

v20.0.0

v20.1.0

v20.2.0

v20.3.0