Amazon Linux 2023: CVE-2023-30581: Important priority package update for nodejs

Amazon Linux 2023: CVE-2023-30581: Important priority package update for nodejs

Severity

8

CVSS

(AV:N/AC:L/Au:N/C:N/I:C/A:N)

Published

06/20/2023

Created

02/14/2025

Added

02/14/2025

Modified

02/14/2025

Description

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js A vulnerability has been discovered in Node.js,where the use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition.

Solution(s)

• amazon-linux-2023-upgrade-nodejs
• amazon-linux-2023-upgrade-nodejs-debuginfo
• amazon-linux-2023-upgrade-nodejs-debugsource
• amazon-linux-2023-upgrade-nodejs-devel
• amazon-linux-2023-upgrade-nodejs-docs
• amazon-linux-2023-upgrade-nodejs-full-i18n
• amazon-linux-2023-upgrade-nodejs-libs
• amazon-linux-2023-upgrade-nodejs-libs-debuginfo
• amazon-linux-2023-upgrade-npm
• amazon-linux-2023-upgrade-v8-devel

References

• https://attackerkb.com/topics/cve-2023-30581
• CVE - 2023-30581
• https://alas.aws.amazon.com/AL2023/ALAS-2023-237.html