CVE-2023-23920: 
npm vulnerability analysis and mitigation

An untrusted search path vulnerability (CVE-2023-23920) was discovered in Node.js versions <19.6.1, <18.14.1, <16.19.1, and <14.21.3. This vulnerability could allow an attacker to search and potentially load ICU data when running with elevated privileges (NodeJS Blog, MITRE).

The vulnerability stems from Node.js's handling of ICU (International Components for Unicode) data loading. When running with elevated privileges, Node.js would search and potentially load ICU data from untrusted locations. To address this issue, Node.js was modified to build with ICUNOUSERDATAOVERRIDE flag to prevent unauthorized data loading. The vulnerability has been assigned a CVSS score of 4.2 (MEDIUM) with a vector of CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N (NetApp Advisory).

The successful exploitation of this vulnerability could lead to unauthorized loading of ICU data when Node.js is running with elevated privileges, potentially resulting in the addition or modification of data (NetApp Advisory).

The vulnerability has been fixed in Node.js versions 19.6.1, 18.14.1, 16.19.1, and 14.21.3. Users are recommended to upgrade to these or later versions. The fix involves building Node.js with ICUNOUSERDATAOVERRIDE to prevent unauthorized ICU data loading (NodeJS Blog).