CVE-2023-30581

2023-11-2300:15:07

[email protected]

web.nvd.nist.gov

178

cve-2023-30581

__proto__

policy mechanism

node.js

nvd

security vulnerability

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.0%

JSON

The use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20.

Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

Affected configurations

NVD

Node

nodejsnode.jsRange16.0.0–16.20.1-

nodejsnode.jsRange18.0.0–18.16.1-

nodejsnode.jsRange20.0.0–20.3.1-

CPENameOperatorVersion
nodejs:node.jsnodejs node.jslt16.20.1
nodejs:node.jsnodejs node.jslt18.16.1
nodejs:node.jsnodejs node.jslt20.3.1

CPE	Name	Operator	Version
nodejs:node.js	nodejs node.js	lt	16.20.1
nodejs:node.js	nodejs node.js	lt	18.16.1
nodejs:node.js	nodejs node.js	lt	20.3.1

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "vendor": "Node.js",
    "product": "Node.js",
    "versions": [
      {
        "version": "16.20.1",
        "status": "affected",
        "lessThan": "16.20.1",
        "versionType": "semver"
      },
      {
        "version": "18.16.1",
        "status": "affected",
        "lessThan": "18.16.1",
        "versionType": "semver"
      },
      {
        "version": "20.3.1",
        "status": "affected",
        "lessThan": "20.3.1",
        "versionType": "semver"
      }
    ]
  }
]