Node.js Security Releases: August 9th, 2023

The article announces security releases for Node.js on August 9th, 2023. The releases are available for the v16.x, v18.x, and v20.x Node.js release lines. The article highlights several security vulnerabilities and their impacts. One vulnerability (CVE-2023-32002) allows bypassing permissions policies via Module._load(), potentially requiring modules outside of the policy.json definition. Another vulnerability (CVE-2023-32004) relates to improper handling of Buffers in file system APIs, allowing path traversal bypass of file permissions. The deprecated API process.binding() can also bypass the permission model through path traversal (CVE-2023-32558). Additionally, the use of module.constructor.createRequire() can bypass policies and require modules outside of the policy.json definition (CVE-2023-32006). Lastly, the deprecated API process.binding() can bypass policies and execute arbitrary code (CVE-2023-32559). The article emphasizes that these vulnerabilities were discovered in experimental features of Node.js. Developers are advised to update their Node.js versions to address these security issues.