vulnerability

Red Hat: CVE-2023-32006: Permissions policies can impersonate other modules in using module.constructor.createRequire() (Multiple Advisories)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:S/C:P/I:C/A:N)	Aug 15, 2023	Sep 27, 2023	Sep 15, 2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:C/A:N)

Published

Aug 15, 2023

Added

Sep 27, 2023

Modified

Sep 15, 2025

Description

The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.

This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x.

Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Solutions

redhat-upgrade-nodejsredhat-upgrade-nodejs-debuginforedhat-upgrade-nodejs-debugsourceredhat-upgrade-nodejs-develredhat-upgrade-nodejs-docsredhat-upgrade-nodejs-full-i18nredhat-upgrade-nodejs-libsredhat-upgrade-nodejs-libs-debuginforedhat-upgrade-nodejs-nodemonredhat-upgrade-nodejs-packagingredhat-upgrade-nodejs-packaging-bundlerredhat-upgrade-npm

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today