CVE-2023-32559

Name
CVE-2023-32559
Description
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://hackerone.com/reports/1946470
Third Party Advisory https://security.netapp.com/advisory/ntap-20231006-0006/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 20.0.0 <= 20.5.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 16.0.0 <= 16.20.1
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 18.0.0 <= 18.17.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
nodejs 3.15-main 16.20.2-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
nodejs 3.16-main 16.20.2-r0 Jakub Jirutka <jakub@jirutka.cz> fixed