The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
                
            Metrics
Affected Vendors & Products
References
        History
                    Fri, 11 Jul 2025 13:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | epss 
 | epss 
 | 
Mon, 07 Oct 2024 19:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Nodejs nodejs | |
| Weaknesses | CWE-288 | |
| CPEs | cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:* | |
| Vendors & Products | Nodejs nodejs | |
| Metrics | ssvc 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: hackerone
Published: 2023-08-21T16:52:42.147Z
Updated: 2025-07-02T14:48:45.647Z
Reserved: 2023-05-01T01:00:12.220Z
Link: CVE-2023-32002
 Vulnrichment
                        Vulnrichment
                    Updated: 2024-08-02T15:03:28.656Z
 NVD
                        NVD
                    Status : Modified
Published: 2023-08-21T17:15:47.000
Modified: 2025-07-02T15:15:23.957
Link: CVE-2023-32002
 Redhat
                        Redhat