2230955 – (TRIAGE-CVE-2023-32006) TRIAGE-CVE-2023-32006 nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire()

Bug 2230955 (TRIAGE-CVE-2023-32006) - TRIAGE-CVE-2023-32006 nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire()

Summary: TRIAGE-CVE-2023-32006 nodejs: Permissions policies can impersonate other modu...

Keywords:
Status:	NEW
Alias:	TRIAGE-CVE-2023-32006
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2230968 2230969 2230970 2230971
Blocks:	2230962
TreeView+	depends on / blocked

Reported:	2023-08-10 10:04 UTC by Mauro Matteo Cascella
Modified:	2023-08-10 10:16 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Mauro Matteo Cascella 2023-08-10 10:04:22 UTC

The use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.

Security Advisory:
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-impersonate-other-modules-in-using-moduleconstructorcreaterequire-mediumcve-2023-32006

Note You need to log in before you can comment on or make changes to this bug.