CVE-2023-30581
Public on 2023-06-23
Modified on 2024-02-04
Description
The use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition.
This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2023 | nodejs | 2023-07-05 | ALAS2023-2023-237 | Fixed |
| Amazon Linux 2 - Core | nodejs-packaging | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.3 | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| NVD | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |