CVE-2023-32559

CVE-2023-32559 describes a privilege-escalation vulnerability in Node.js via the experimental policy mechanism. The attack leverages the deprecated API process.binding(), potentially bypassing policy.json and abusing process.binding('spawn_sync') to run arbitrary code outside policy limits. The i...

CVE-2023-32002

CVE-2023-32002 concerns Node.js where the policy mechanism (experimental) can be bypassed via Module._load() , allowing modules outside policy.json. The CVE affects all supported lines using the experimental policy (Node.js 16.x, 18.x, 20.x). Connected advisories confirm affected packages as Node...

CVE-2023-32006

CVE-2023-32006 affects Node.js when using the experimental policy mechanism (supported in 16.x, 18.x, 20.x). The root cause is that module.constructor.createRequire() can bypass policy and load modules outside policy.json. Multiple advisories reference the vulnerability alongside other policy-rel...

CVE-2023-32004

CVE-2023-32004 concerns Node.js 20, specifically its experimental permission model. Available sources describe a vulnerability in the file-system APIs where improper handling of Buffers can cause a traversal path to bypass file permission checks. The issue affects users operating under the experi...

CVE-2023-32003

CVE-2023-32003 is described in the connected F5 advisory as a path-traversal flaw in Node.js 20's experimental permission model, where fs.mkdtemp() and fs.mkdtempSync() lack a necessary permission-check, allowing a malicious actor to create an arbitrary directory. The impact is limited to users e...