{"id":"CVE-2023-38552","details":"When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check.\nImpacts:\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x.\nPlease note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.","aliases":["BIT-node-2023-38552","BIT-node-min-2023-38552"],"modified":"2026-03-20T12:29:49.182474Z","published":"2023-10-18T04:15:11.200Z","related":["ALSA-2023:5849","ALSA-2023:5869","ALSA-2023:7205","CGA-5h5g-xhc8-ppx4","MGASA-2023-0299","SUSE-SU-2023:4132-1","SUSE-SU-2023:4133-1","SUSE-SU-2023:4150-1","SUSE-SU-2023:4155-1","SUSE-SU-2023:4207-1","SUSE-SU-2023:4259-1","SUSE-SU-2023:4373-1","SUSE-SU-2023:4374-1","openSUSE-SU-2024:13337-1","openSUSE-SU-2024:13340-1"],"references":[{"type":"ADVISORY","url":"https://hackerone.com/reports/2094235"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20241108-0002/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20231116-0013/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nodejs/node","events":[{"introduced":"49a77a5a996a49e8cb728eed42e55a7c1a9eef6e"},{"last_affected":"7615798b633f0d39af329fe2bdc45dbb10c7cfe4"},{"introduced":"68ef4a687d5a1802b9f585d7f464c44ce6caa766"},{"last_affected":"a86c2caea9c329442bbbd8eeec6d5385b594b7ca"}],"database_specific":{"versions":[{"introduced":"18.0.0"},{"last_affected":"18.18.1"},{"introduced":"20.1.0"},{"last_affected":"20.8.0"}]}}],"versions":["v18.0.0","v18.1.0","v18.10.0","v18.11.0","v18.12.0","v18.12.1","v18.13.0","v18.14.0","v18.14.1","v18.14.2","v18.15.0","v18.16.0","v18.16.1","v18.17.0","v18.17.1","v18.18.0","v18.18.1","v18.2.0","v18.3.0","v18.4.0","v18.5.0","v18.6.0","v18.7.0","v18.8.0","v18.9.0","v18.9.1","v20.1.0","v20.2.0","v20.3.0","v20.3.1","v20.4.0","v20.5.0","v20.5.1","v20.6.0","v20.6.1","v20.7.0","v20.8.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"37"}]},{"events":[{"introduced":"0"},{"last_affected":"38"}]},{"events":[{"introduced":"0"},{"last_affected":"39"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-38552.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}