2230956 – (TRIAGE-CVE-2023-32559) TRIAGE-CVE-2023-32559 nodejs: Permissions policies can be bypassed via process.binding

Bug 2230956 (TRIAGE-CVE-2023-32559) - TRIAGE-CVE-2023-32559 nodejs: Permissions policies can be bypassed via process.binding

Summary: TRIAGE-CVE-2023-32559 nodejs: Permissions policies can be bypassed via proces...

Keywords:
Status:	NEW
Alias:	TRIAGE-CVE-2023-32559
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2230972 2230973 2230974 2230975
Blocks:	2230962
TreeView+	depends on / blocked

Reported:	2023-08-10 10:06 UTC by Mauro Matteo Cascella
Modified:	2023-08-10 10:16 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Mauro Matteo Cascella 2023-08-10 10:06:05 UTC

The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') run arbitrary code, outside of the limits defined in a policy.json file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.

Security Advisory:
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-processbinding-mediumcve-2023-32559

Note You need to log in before you can comment on or make changes to this bug.