{"api_version":"1","generated_at":"2026-04-22T23:31:22+00:00","cve":"CVE-2023-32006","urls":{"html":"https://cve.report/CVE-2023-32006","api":"https://cve.report/api/cve/CVE-2023-32006.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-32006","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-32006"},"summary":{"title":"CVE-2023-32006","description":"The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\n\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x.\n\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js.","state":"PUBLIC","assigner":"support@hackerone.com","published_at":"2023-08-15 16:15:00","updated_at":"2023-09-15 14:15:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://security.netapp.com/advisory/ntap-20230915-0009/","name":"https://security.netapp.com/advisory/ntap-20230915-0009/","refsource":"MISC","tags":[],"title":"August 2023 Node.js Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQPELKG2LVTADSB7ME73AV4DXQK47PWK/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQPELKG2LVTADSB7ME73AV4DXQK47PWK/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 37 Update: nodejs18-18.17.1-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://hackerone.com/reports/2043807","name":"https://hackerone.com/reports/2043807","refsource":"MISC","tags":[],"title":"HackerOne","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBOZE2QZIBLFFTYWYN23FGKN6HULZ6HX/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBOZE2QZIBLFFTYWYN23FGKN6HULZ6HX/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 38 Update: nodejs16-16.20.2-1.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-32006","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32006","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"32006","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"32006","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"38","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"32006","vulnerable":"1","versionEndIncluding":"16.20.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"32006","vulnerable":"1","versionEndIncluding":"18.17.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"32006","vulnerable":"1","versionEndIncluding":"20.5.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-32006","qid":"160945","title":"Oracle Enterprise Linux Security Update for 18 (ELSA-2023-5363)"},{"cve":"CVE-2023-32006","qid":"160946","title":"Oracle Enterprise Linux Security Update for nodejs:18 (ELSA-2023-5362)"},{"cve":"CVE-2023-32006","qid":"160947","title":"Oracle Enterprise Linux Security Update for nodejs:16 (ELSA-2023-5360)"},{"cve":"CVE-2023-32006","qid":"160964","title":"Oracle Enterprise Linux Security Update for nodejs (ELSA-2023-5532)"},{"cve":"CVE-2023-32006","qid":"242084","title":"Red Hat Update for nodejs:18 security (RHSA-2023:5363)"},{"cve":"CVE-2023-32006","qid":"242085","title":"Red Hat Update for nodejs:16 security (RHSA-2023:5361)"},{"cve":"CVE-2023-32006","qid":"242086","title":"Red Hat Update for nodejs:18 security (RHSA-2023:5362)"},{"cve":"CVE-2023-32006","qid":"242087","title":"Red Hat Update for nodejs:16 security (RHSA-2023:5360)"},{"cve":"CVE-2023-32006","qid":"242126","title":"Red Hat Update for nodejs (RHSA-2023:5532)"},{"cve":"CVE-2023-32006","qid":"242132","title":"Red Hat Update for nodejs security (RHSA-2023:5533)"},{"cve":"CVE-2023-32006","qid":"284408","title":"Fedora Security Update for nodejs16 (FEDORA-2023-d12a917ab4)"},{"cve":"CVE-2023-32006","qid":"284421","title":"Fedora Security Update for nodejs16 (FEDORA-2023-18476abd7e)"},{"cve":"CVE-2023-32006","qid":"503420","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2023-32006","qid":"505900","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2023-32006","qid":"6000404","title":"Debian Security Update for nodejs (DSA 5589-1)"},{"cve":"CVE-2023-32006","qid":"907290","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs18 (27926-1)"},{"cve":"CVE-2023-32006","qid":"907309","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs (27941-1)"},{"cve":"CVE-2023-32006","qid":"941273","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2023:5362)"},{"cve":"CVE-2023-32006","qid":"941274","title":"AlmaLinux Security Update for nodejs:16 (ALSA-2023:5360)"},{"cve":"CVE-2023-32006","qid":"941275","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2023:5363)"},{"cve":"CVE-2023-32006","qid":"941291","title":"AlmaLinux Security Update for nodejs (ALSA-2023:5532)"},{"cve":"CVE-2023-32006","qid":"961024","title":"Rocky Linux Security Update for nodejs:18 (RLSA-2023:5363)"},{"cve":"CVE-2023-32006","qid":"961044","title":"Rocky Linux Security Update for nodejs (RLSA-2023:5532)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-32006","ASSIGNER":"support@hackerone.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.\n\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x.\n\nPlease note that at the time this CVE was issued, the policy is an experimental feature of Node.js."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Node.js","product":{"product_data":[{"product_name":"Node.js","version":{"version_data":[{"version_affected":"<=","version_name":"20.5.0","version_value":"20.5.0"},{"version_affected":"<=","version_name":"18.17.0","version_value":"18.17.0"},{"version_affected":"<=","version_name":"16.20.1","version_value":"16.20.1"}]}}]}}]}},"references":{"reference_data":[{"url":"https://hackerone.com/reports/2043807","refsource":"MISC","name":"https://hackerone.com/reports/2043807"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBOZE2QZIBLFFTYWYN23FGKN6HULZ6HX/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBOZE2QZIBLFFTYWYN23FGKN6HULZ6HX/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQPELKG2LVTADSB7ME73AV4DXQK47PWK/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQPELKG2LVTADSB7ME73AV4DXQK47PWK/"},{"url":"https://security.netapp.com/advisory/ntap-20230915-0009/","refsource":"MISC","name":"https://security.netapp.com/advisory/ntap-20230915-0009/"}]}},"nvd":{"publishedDate":"2023-08-15 16:15:00","lastModifiedDate":"2023-09-15 14:15:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionStartIncluding":"20.0.0","versionEndIncluding":"20.5.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionStartIncluding":"16.0.0","versionEndIncluding":"16.20.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionStartIncluding":"18.0.0","versionEndIncluding":"18.17.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}