When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the nodes policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Node.js | Nodejs | 18.0.0 (including) | 18.18.1 (including) |
| Node.js | Nodejs | 20.1.0 (including) | 20.8.0 (including) |
| Nodejs | Ubuntu | bionic | * |
| Nodejs | Ubuntu | lunar | * |
| Nodejs | Ubuntu | mantic | * |
| Nodejs | Ubuntu | trusty | * |
| Nodejs | Ubuntu | trusty/esm | * |
| Nodejs | Ubuntu | xenial | * |
| Red Hat Enterprise Linux 8 | RedHat | nodejs:18-8080020231015215042.63b34585 | * |
| Red Hat Enterprise Linux 8 | RedHat | nodejs:20-8090020231019152822.a75119d5 | * |
| Red Hat Enterprise Linux 9 | RedHat | nodejs:18-9020020231015221156.rhel9 | * |