A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.
{
"cna_assigner": "hackerone",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/23xxx/CVE-2023-23918.json",
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "4.0"
},
{
"fixed": "4.*"
},
{
"introduced": "5.0"
},
{
"fixed": "5.*"
},
{
"introduced": "6.0"
},
{
"fixed": "6.*"
},
{
"introduced": "7.0"
},
{
"fixed": "7.*"
},
{
"introduced": "8.0"
},
{
"fixed": "8.*"
},
{
"introduced": "9.0"
},
{
"fixed": "9.*"
},
{
"introduced": "10.0"
},
{
"fixed": "10.*"
},
{
"introduced": "11.0"
},
{
"fixed": "11.*"
},
{
"introduced": "12.0"
},
{
"fixed": "12.*"
},
{
"introduced": "13.0"
},
{
"fixed": "13.*"
},
{
"introduced": "14.0"
},
{
"fixed": "14.21.3"
},
{
"introduced": "15.0"
},
{
"fixed": "15.*"
},
{
"introduced": "16.0"
},
{
"fixed": "16.19.1"
},
{
"introduced": "17.0"
},
{
"fixed": "17.*"
},
{
"introduced": "18.0"
},
{
"fixed": "18.14.1"
},
{
"introduced": "19.0"
},
{
"fixed": "19.6.1"
}
],
"source": "AFFECTED_FIELD"
}
]
}{
"cpe": [
"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*",
"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*"
],
"extracted_events": [
{
"introduced": "14.0.0"
},
{
"last_affected": "14.14.0"
},
{
"fixed": "14.21.3"
},
{
"introduced": "16.0.0"
},
{
"last_affected": "16.12.0"
},
{
"fixed": "16.19.1"
},
{
"introduced": "18.0.0"
},
{
"last_affected": "18.11.0"
},
{
"fixed": "18.14.1"
},
{
"introduced": "19.0.0"
},
{
"fixed": "19.6.1"
}
],
"source": "CPE_RANGE"
}