The use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Node.js | Nodejs | 16.0.0 (including) | 16.20.1 (including) |
| Node.js | Nodejs | 18.0.0 (including) | 18.17.0 (including) |
| Node.js | Nodejs | 20.0.0 (including) | 20.5.0 (including) |
| Red Hat Enterprise Linux 8 | RedHat | nodejs:16-8080020230906092006.63b34585 | * |
| Red Hat Enterprise Linux 8 | RedHat | nodejs:18-8080020230825111344.63b34585 | * |
| Red Hat Enterprise Linux 8.6 Extended Update Support | RedHat | nodejs:16-8060020230906023909.ad008a3a | * |
| Red Hat Enterprise Linux 9 | RedHat | nodejs:18-9020020230825081254.rhel9 | * |
| Red Hat Enterprise Linux 9 | RedHat | nodejs-1:16.20.2-1.el9_2 | * |
| Red Hat Enterprise Linux 9.0 Extended Update Support | RedHat | nodejs-1:16.20.2-1.el9_0 | * |
| Nodejs | Ubuntu | bionic | * |
| Nodejs | Ubuntu | esm-apps/jammy | * |
| Nodejs | Ubuntu | jammy | * |
| Nodejs | Ubuntu | lunar | * |
| Nodejs | Ubuntu | mantic | * |
| Nodejs | Ubuntu | trusty | * |
| Nodejs | Ubuntu | xenial | * |