{"id":"UBUNTU-CVE-2023-23918","details":"A privilege escalation vulnerability exists in Node.js \u003c19.6.1, \u003c18.14.1, \u003c16.19.1 and \u003c14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.","modified":"2025-07-16T07:57:28.801774Z","published":"2023-02-23T20:15:00Z","withdrawn":"2025-07-18T16:54:21Z","upstream":["CVE-2023-23918"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-23918"},{"type":"REPORT","url":"https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-permissions-policies-can-be-bypassed-via-process-mainmodule-high-cve-2023-23918"},{"type":"REPORT","url":"https://github.com/nodejs/node/commit/af9140088621abd09016848f4526d66b7a81b9ba"},{"type":"REPORT","url":"https://github.com/nodejs/node/commit/9b7db62276e4a9c97aedf91daf38bf7b7d23fee4"},{"type":"REPORT","url":"https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2023-23918"}],"affected":[{"package":{"name":"nodejs","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/nodejs@18.19.1+dfsg-2ubuntu4?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"18.19.1+dfsg-2ubuntu4"}]}],"versions":["18.13.0+dfsg1-1ubuntu2"],"ecosystem_specific":{"binaries":[{"binary_version":"18.19.1+dfsg-2ubuntu4","binary_name":"libnode-dev"},{"binary_version":"18.19.1+dfsg-2ubuntu4","binary_name":"libnode108"},{"binary_version":"18.19.1+dfsg-2ubuntu4","binary_name":"libnode108-dbgsym"},{"binary_version":"18.19.1+dfsg-2ubuntu4","binary_name":"nodejs"},{"binary_version":"18.19.1+dfsg-2ubuntu4","binary_name":"nodejs-dbgsym"},{"binary_version":"18.19.1+dfsg-2ubuntu4","binary_name":"nodejs-doc"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-23918.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]}