Skip to main content

Untrusted Search Path


Severity Medium
Score 4.2/10


An untrusted search path vulnerability exists in Node.js. This issue affects versions 14.0.x prior to 14.21.3, 16.0.x prior to 16.19.1, 18.0.x prior to 18.14.1, and 19.0.x prior to 19.6.1 that could allow an attacker to search and potentially load ICU data when running with elevated privileges. NOTE: The affected versions of this package are not available in a package manager we support.

  • LOW
  • HIGH
  • HIGH
  • NONE
  • NONE

CWE-426 - Untrusted Search Path

The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.

Advisory Timeline

  • Published