Untrusted Search Path
CVE-2023-23920
Summary
An untrusted search path vulnerability exists in Node.js. This issue affects versions 14.0.x prior to 14.21.3, 16.0.x prior to 16.19.1, 18.0.x prior to 18.14.1, and 19.0.x prior to 19.6.1 that could allow an attacker to search and potentially load ICU data when running with elevated privileges. NOTE: The affected versions of this package are not available in a package manager we support.
- LOW
- LOCAL
- HIGH
- UNCHANGED
- REQUIRED
- HIGH
- NONE
- NONE
CWE-426 - Untrusted Search Path
The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.
References
Advisory Timeline
- Published