The use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Security Advisory: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-impersonate-other-modules-in-using-moduleconstructorcreaterequire-mediumcve-2023-32006
Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 2233388] Affects: fedora-37 [bug 2233384] Created nodejs16 tracking bugs for this issue: Affects: fedora-38 [bug 2233390] Created nodejs18 tracking bugs for this issue: Affects: fedora-38 [bug 2233391] Created nodejs20 tracking bugs for this issue: Affects: fedora-38 [bug 2233392] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-8 [bug 2233389] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-37 [bug 2233386] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-8 [bug 2233387] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-38 [bug 2233393] Created nodejs:18/nodejs tracking bugs for this issue: Affects: fedora-37 [bug 2233385]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:5361 https://access.redhat.com/errata/RHSA-2023:5361
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:5363 https://access.redhat.com/errata/RHSA-2023:5363
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:5360 https://access.redhat.com/errata/RHSA-2023:5360
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:5362 https://access.redhat.com/errata/RHSA-2023:5362
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:5533 https://access.redhat.com/errata/RHSA-2023:5533
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:5532 https://access.redhat.com/errata/RHSA-2023:5532