You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') run arbitrary code, outside of the limits defined in a policy.json file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
CVE-2023-32559 - High Severity Vulnerability
Vulnerable Library - nodev13.12.0
Node.js JavaScript runtime β¨π’πβ¨
Library home page: https://github.com/nodejs/node.git
Found in HEAD commit: ec9a3f8a365636d40076233e59d310f9ec5e9c96
Found in base branch: master
Vulnerable Source Files (2)
/lib/internal/process/policy.js
/lib/internal/process/policy.js
Vulnerability Details
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API
process.binding()
can bypass the policy mechanism by requiring internal modules and eventually take advantage ofprocess.binding('spawn_sync')
run arbitrary code, outside of the limits defined in apolicy.json
file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.Publish Date: 2023-08-24
URL: CVE-2023-32559
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#processbinding-can-bypass-the-permission-model-through-path-traversal-highcve-2023-32559
Release Date: 2023-05-10
Fix Resolution: v16.20.2,v18.17.1,v20.5.1
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: