https://hackerone.com/reports/1960870
The use of Module._load()
and require.extensions[".js"]
can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Permission policies limit a project to a specific set of authorized node js built-in modules. For example a project could attempt to limit the use of child_process which could be bypassed leading to remote code execution.