CVE-2023-32559
CVSS 3.1 Score 7.5 of 10 (high)
Details
Published Aug 24, 2023
Updated: Oct 24, 2023
Summary
CVE-2023-32559 is a privilege escalation vulnerability affecting all active release lines of Node.js, including 16.x, 18.x, and 20.x. The issue stems from the experimental policy mechanism, which can be bypassed using the deprecated API `process.binding()`. By requiring internal modules and exploiting `process.binding('spawn_sync')`, attackers can run arbitrary code outside of the defined policy in a `policy.json` file. At the time of this CVE, the policy mechanism was an experimental feature of Node.js.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Share
Affected Products
- Nodejs Node.js
Affected Vendors
- Nodejs