The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20.
Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js
References
Link | Resource |
---|---|
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases | Release Notes |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: hackerone
Published: 2023-11-22T23:28:30.768Z
Updated: 2023-11-22T23:28:30.768Z
Reserved: 2023-04-13T01:00:12.085Z
Link: CVE-2023-30581
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-11-23T00:15:07.980
Modified: 2023-12-11T20:49:02.543
Link: CVE-2023-30581
JSON object: View
Redhat Information
No data.
CWE