{"id":"CVE-2023-38552","details":"When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check.\nImpacts:\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x.\nPlease note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.","aliases":["BIT-node-2023-38552","BIT-node-min-2023-38552"],"modified":"2026-05-28T04:09:00.702021859Z","published":"2023-10-18T03:55:18.483Z","related":["ALSA-2023:5849","ALSA-2023:5869","ALSA-2023:7205","CGA-5h5g-xhc8-ppx4","SUSE-SU-2023:4132-1","SUSE-SU-2023:4133-1","SUSE-SU-2023:4150-1","SUSE-SU-2023:4155-1","SUSE-SU-2023:4207-1","SUSE-SU-2023:4259-1","SUSE-SU-2023:4373-1","SUSE-SU-2023:4374-1","openSUSE-SU-2024:13337-1","openSUSE-SU-2024:13340-1"],"database_specific":{"unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"4.0"},{"fixed":"4.*"},{"introduced":"5.0"},{"fixed":"5.*"},{"introduced":"6.0"},{"fixed":"6.*"},{"introduced":"7.0"},{"fixed":"7.*"},{"introduced":"8.0"},{"fixed":"8.*"},{"introduced":"9.0"},{"fixed":"9.*"},{"introduced":"10.0"},{"fixed":"10.*"},{"introduced":"11.0"},{"fixed":"11.*"},{"introduced":"12.0"},{"fixed":"12.*"},{"introduced":"13.0"},{"fixed":"13.*"},{"introduced":"14.0"},{"fixed":"14.*"},{"introduced":"15.0"},{"fixed":"15.*"},{"introduced":"16.0"},{"fixed":"16.*"},{"introduced":"17.0"},{"fixed":"17.*"},{"introduced":"18.0"},{"fixed":"18.18.2"},{"introduced":"19.0"},{"fixed":"19.*"},{"introduced":"20.0"},{"fixed":"20.8.1"}]}],"cna_assigner":"hackerone","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/38xxx/CVE-2023-38552.json"},"references":[{"type":"WEB","url":"https://hackerone.com/reports/2094235"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/38xxx/CVE-2023-38552.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38552"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20231116-0013/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20241108-0002/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nodejs/node","events":[{"introduced":"49a77a5a996a49e8cb728eed42e55a7c1a9eef6e"},{"last_affected":"7615798b633f0d39af329fe2bdc45dbb10c7cfe4"},{"introduced":"68ef4a687d5a1802b9f585d7f464c44ce6caa766"},{"last_affected":"a86c2caea9c329442bbbd8eeec6d5385b594b7ca"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"18.0.0"},{"last_affected":"18.18.1"},{"introduced":"20.1.0"},{"last_affected":"20.8.0"}],"cpe":"cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*"}}],"versions":["v18.18.1","v20.8.0","v18.18.0","v20.7.0","v20.6.1","v20.6.0","v20.5.1","v18.17.1","v20.5.0","v18.17.0","v20.4.0","v18.16.1","v20.3.1","v20.3.0","v20.2.0","v20.1.0","v18.16.0","v18.15.0","v18.14.2","v18.14.1","v18.14.0","v18.13.0","v18.12.1","v18.12.0","v18.11.0","v18.10.0","v18.9.1","v18.9.0","v18.8.0","v18.7.0","v18.6.0","v18.5.0","v18.4.0","v18.3.0","v18.2.0","v18.1.0","v18.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-38552.json"}}],"schema_version":"1.7.5"}