The use of Module._load()
can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
{ "binaries": [ { "binary_name": "libnode-dev", "binary_version": "12.22.9~dfsg-1ubuntu3.6" }, { "binary_name": "libnode72", "binary_version": "12.22.9~dfsg-1ubuntu3.6" }, { "binary_name": "libnode72-dbgsym", "binary_version": "12.22.9~dfsg-1ubuntu3.6" }, { "binary_name": "nodejs", "binary_version": "12.22.9~dfsg-1ubuntu3.6" }, { "binary_name": "nodejs-dbgsym", "binary_version": "12.22.9~dfsg-1ubuntu3.6" }, { "binary_name": "nodejs-doc", "binary_version": "12.22.9~dfsg-1ubuntu3.6" } ], "availability": "No subscription required" }