{"api_version":"1","generated_at":"2026-04-22T23:31:18+00:00","cve":"CVE-2023-32002","urls":{"html":"https://cve.report/CVE-2023-32002","api":"https://cve.report/api/cve/CVE-2023-32002.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-32002","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-32002"},"summary":{"title":"CVE-2023-32002","description":"The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\n\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.\n\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js.","state":"PUBLIC","assigner":"support@hackerone.com","published_at":"2023-08-21 17:15:00","updated_at":"2023-09-15 14:15:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://security.netapp.com/advisory/ntap-20230915-0009/","name":"https://security.netapp.com/advisory/ntap-20230915-0009/","refsource":"MISC","tags":[],"title":"August 2023 Node.js Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://hackerone.com/reports/1960870","name":"https://hackerone.com/reports/1960870","refsource":"MISC","tags":[],"title":"HackerOne","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-32002","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32002","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"32002","vulnerable":"1","versionEndIncluding":"16.20.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"32002","vulnerable":"1","versionEndIncluding":"18.17.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"32002","vulnerable":"1","versionEndIncluding":"20.5.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-32002","qid":"160945","title":"Oracle Enterprise Linux Security Update for 18 (ELSA-2023-5363)"},{"cve":"CVE-2023-32002","qid":"160946","title":"Oracle Enterprise Linux Security Update for nodejs:18 (ELSA-2023-5362)"},{"cve":"CVE-2023-32002","qid":"160947","title":"Oracle Enterprise Linux Security Update for nodejs:16 (ELSA-2023-5360)"},{"cve":"CVE-2023-32002","qid":"160964","title":"Oracle Enterprise Linux Security Update for nodejs (ELSA-2023-5532)"},{"cve":"CVE-2023-32002","qid":"242084","title":"Red Hat Update for nodejs:18 security (RHSA-2023:5363)"},{"cve":"CVE-2023-32002","qid":"242085","title":"Red Hat Update for nodejs:16 security (RHSA-2023:5361)"},{"cve":"CVE-2023-32002","qid":"242086","title":"Red Hat Update for nodejs:18 security (RHSA-2023:5362)"},{"cve":"CVE-2023-32002","qid":"242087","title":"Red Hat Update for nodejs:16 security (RHSA-2023:5360)"},{"cve":"CVE-2023-32002","qid":"242126","title":"Red Hat Update for nodejs (RHSA-2023:5532)"},{"cve":"CVE-2023-32002","qid":"242132","title":"Red Hat Update for nodejs security (RHSA-2023:5533)"},{"cve":"CVE-2023-32002","qid":"284408","title":"Fedora Security Update for nodejs16 (FEDORA-2023-d12a917ab4)"},{"cve":"CVE-2023-32002","qid":"284421","title":"Fedora Security Update for nodejs16 (FEDORA-2023-18476abd7e)"},{"cve":"CVE-2023-32002","qid":"503420","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2023-32002","qid":"505900","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2023-32002","qid":"6000404","title":"Debian Security Update for nodejs (DSA 5589-1)"},{"cve":"CVE-2023-32002","qid":"907315","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs18 (27942-1)"},{"cve":"CVE-2023-32002","qid":"907346","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs (27940-1)"},{"cve":"CVE-2023-32002","qid":"941273","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2023:5362)"},{"cve":"CVE-2023-32002","qid":"941274","title":"AlmaLinux Security Update for nodejs:16 (ALSA-2023:5360)"},{"cve":"CVE-2023-32002","qid":"941275","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2023:5363)"},{"cve":"CVE-2023-32002","qid":"941291","title":"AlmaLinux Security Update for nodejs (ALSA-2023:5532)"},{"cve":"CVE-2023-32002","qid":"961024","title":"Rocky Linux Security Update for nodejs:18 (RLSA-2023:5363)"},{"cve":"CVE-2023-32002","qid":"961044","title":"Rocky Linux Security Update for nodejs (RLSA-2023:5532)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-32002","ASSIGNER":"support@hackerone.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\n\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.\n\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Node.js","product":{"product_data":[{"product_name":"Node.js","version":{"version_data":[{"version_affected":"<=","version_name":"20.5.0","version_value":"20.5.0"},{"version_affected":"<=","version_name":"18.17.0","version_value":"18.17.0"},{"version_affected":"<=","version_name":"16.20.1","version_value":"16.20.1"}]}}]}}]}},"references":{"reference_data":[{"url":"https://hackerone.com/reports/1960870","refsource":"MISC","name":"https://hackerone.com/reports/1960870"},{"url":"https://security.netapp.com/advisory/ntap-20230915-0009/","refsource":"MISC","name":"https://security.netapp.com/advisory/ntap-20230915-0009/"}]}},"nvd":{"publishedDate":"2023-08-21 17:15:00","lastModifiedDate":"2023-09-15 14:15:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*","versionStartIncluding":"20.0.0","versionEndIncluding":"20.5.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*","versionStartIncluding":"18.0.0","versionEndIncluding":"18.17.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*","versionStartIncluding":"16.0.0","versionEndIncluding":"16.20.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}