CVE-2023-32006: 
npm vulnerability analysis and mitigation

CVE-2023-32006 is a medium severity vulnerability affecting Node.js's experimental policy mechanism. The vulnerability was discovered in 2023 and affects all active release lines: 16.x, 18.x, and 20.x. The issue occurs when using module.constructor.createRequire(), which can bypass the policy mechanism and require modules outside of the policy.json definition for a given module (Node.js Blog).

The vulnerability has a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The technical issue involves the use of module.constructor.createRequire() which can circumvent the intended policy restrictions, allowing modules to be required outside of the defined policy.json configuration (NetApp Advisory).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability affects all users using the experimental policy mechanism in Node.js versions 16.x through 20.x (NetApp Advisory).

The vulnerability has been fixed in Node.js versions 16.20.2 (LTS), 18.17.1 (LTS), and 20.5.1 (Current). Users are advised to upgrade to these patched versions to mitigate the vulnerability. The fix was implemented by Rafael Gonzaga and Bradley Farias (Node.js Blog).

The vulnerability was reported by Axel Chong and fixed through a collaborative effort between Rafael Gonzaga and Bradley Farias. The Node.js project treated this as a medium severity issue and included it in a broader security update that addressed multiple vulnerabilities (Node.js Blog).