What is CVE-2023-32002?

CVE-2023-32002 is a critical vulnerability in Node.js, affecting systems using the experimental policy mechanism in release lines 16.x, 18.x, and 20.x. This flaw allows bypassing the policy mechanism, enabling the use of modules outside the defined policy.json, which can lead to sensitive information disclosure, data modification, or denial of service. Users should update their Node.js versions to address this issue.

Who is impacted by CVE-2023-32002?

This vulnerability affects users of Node.js versions 16.0.0 to 16.20.1, 18.0.0 to 18.17.0, and 20.0.0 to 20.5.0 who are using the experimental policy mechanism. It can result in sensitive information disclosure, data modification, or denial of service for these users.

4o

What to do if CVE-2023-32002 affected you

If you're affected by the CVE-2023-32002 vulnerability, it's essential to take action to protect your system. Follow these simple steps:

1. Update your Node.js installation to the latest version.

2. Ensure you're using a version that's not affected by the vulnerability (16.20.1 or later, 18.17.0 or later, or 20.5.0 or later).

3. Monitor security advisories for any new information or updates.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-32002 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog. This vulnerability, discovered in Node.js, allows bypassing of the policy mechanism and requiring modules outside of the policy on definition for a given module.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-Insufficient Information, indicating a lack of specific details about the vulnerability and its mitigation.

Learn More

To learn more about this vulnerability, including its description, severity, technical details, and known affected software configurations, visit the NVD page or refer to the sources listed below.

• HackerOne Report #1960870

• NetApp Product Security Advisory

• CVE Record | CVE