CVE-2023-32559

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Aug 24, 2023
Updated: Oct 24, 2023

Summary

CVE-2023-32559 is a privilege escalation vulnerability affecting all active release lines of Node.js, including 16.x, 18.x, and 20.x. The issue stems from the experimental policy mechanism, which can be bypassed using the deprecated API `process.binding()`. By requiring internal modules and exploiting `process.binding('spawn_sync')`, attackers can run arbitrary code outside of the defined policy in a `policy.json` file. At the time of this CVE, the policy mechanism was an experimental feature of Node.js.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share