CVE-2023-23918

Published: 2/23/2023 Last updated: 5/8/2025 Reserved: 1/19/2023

A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.

CNA assigner: hackerone (36234546-b8fa-4601-9d6f-f4e334aa8ea1) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	7.5	High	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Opam packages affected (1)

conf-npm

Products affected (1)

Product	Vendor	Version
Node	NodeJS	n/a

References (4)

https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/
https://security.netapp.com/advisory/ntap-20230316-0008/
https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/
https://security.netapp.com/advisory/ntap-20230316-0008/