Login Sign Up

CVE-2023-38552

7.5 HIGH

📋 TL;DR

CVE-2023-38552 is a security bypass vulnerability in Node.js's experimental policy mechanism that allows attackers to forge checksums and disable integrity checks. This affects all users of the policy feature in Node.js 18.x and 20.x releases. The vulnerability enables malicious code execution by bypassing resource integrity verification.

💻 Affected Systems

Products:
  • Node.js
Versions: 18.x and 20.x (all active release lines at time of CVE)
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ✅ No
Notes: Only affects users who have enabled the experimental policy mechanism feature. The policy feature is disabled by default.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Node.js by Nodejs

View all CVEs affecting Node.js →

Node.js by Nodejs

View all CVEs affecting Node.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete bypass of Node.js security policies leading to arbitrary code execution, privilege escalation, and full system compromise.

🟠

Likely Case

Attackers can load and execute untrusted modules that would normally be blocked by policy integrity checks, potentially leading to data theft or further exploitation.

🟢

If Mitigated

With proper network segmentation and least privilege, impact is limited to the compromised Node.js process scope.

🌐 Internet-Facing: HIGH - Web applications using Node.js policy feature could be exploited remotely to execute arbitrary code.
🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but require initial access to the internal network.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the policy feature to be enabled and the attacker to be able to intercept/modify the integrity check operation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Node.js 18.18.1, 20.9.1 and later

Vendor Advisory: https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/

Restart Required: Yes

Instructions:

1. Update Node.js to version 18.18.1 or 20.9.1 or later. 2. Restart all Node.js applications. 3. Verify the update with 'node --version'.

🔧 Temporary Workarounds

Disable Policy Mechanism

all

Disable the experimental policy feature if not required

Remove or disable policy configuration in your Node.js application

🧯 If You Can't Patch

  • Disable the experimental policy mechanism entirely
  • Implement network segmentation and restrict Node.js applications to isolated environments

🔍 How to Verify

Check if Vulnerable:

Check if using Node.js 18.x or 20.x with policy feature enabled and version below 18.18.1 or 20.9.1

Check Version:

node --version

Verify Fix Applied:

Verify Node.js version is 18.18.1+ or 20.9.1+ using 'node --version'

📡 Detection & Monitoring

Log Indicators:

  • Unexpected policy integrity check failures
  • Policy bypass attempts in application logs

Network Indicators:

  • Unusual outbound connections from Node.js processes
  • Suspicious module loading patterns

SIEM Query:

source="nodejs" AND (event="policy_integrity_failure" OR event="policy_bypass")

📊 Metadata

CVE ID: CVE-2023-38552
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-345
Published: October 18, 2023
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38552, you might also want to check these:

CVE-2022-30315 9.8

Honeywell Experion PKS Safety Manager controllers lack cryptographic authentication for control logi...

Same vulnerability type (CWE-345)
CVE-2025-66255 9.8

This vulnerability allows unauthenticated attackers to upload malicious firmware files to Mozart FM ...

Same vulnerability type (CWE-345)
CVE-2022-26871 9.8

CVE-2022-26871 is a critical arbitrary file upload vulnerability in Trend Micro Apex Central that al...

Same vulnerability type (CWE-345)