CVE-2023-30581

Description

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

How to fix CVE-2023-30581

To remediate CVE-2023-30581, upgrade the affected package to a fixed version below.

• —upgrade to 16.20.1 or later
• —upgrade to 16.20.1 or later
• —no fix listed

Is CVE-2023-30581 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• >= 16.0.0, < 16.20.1, >= 18.0.0, < 18.16.1, >= 20.0.0, < 20.3.1
• >= 16.0.0, < 16.20.1, >= 18.0.0, < 18.16.1, >= 20.0.0, < 20.3.1
• from 0

CVSS scores

References (4)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-30581
• WEBnodejs.org/en/blog/vulnerability/june-2023-security-releases
• WEBnvd.nist.gov/vuln/detail/CVE-2023-30581
• WEBsecurity.netapp.com/advisory/ntap-20241101-0011/