CVE-2023-32559: 
npm vulnerability analysis and mitigation

A privilege escalation vulnerability (CVE-2023-32559) exists in the experimental policy mechanism across all active Node.js release lines: 16.x, 18.x, and 20.x. The vulnerability was disclosed in August 2023 and affects Node.js versions from 16.0.0 through 16.20.1, 18.0.0 through 18.17.0, and 20.0.0 through 20.5.0 (NVD).

The vulnerability stems from the use of the deprecated API process.binding() which can bypass the policy mechanism by requiring internal modules. An attacker can exploit this by taking advantage of process.binding('spawn_sync') to run arbitrary code outside of the limits defined in a policy.json file. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability allows attackers to bypass policy mechanism restrictions and execute arbitrary code outside the defined policy limits (NetApp Advisory).

The vulnerability was addressed in Node.js version 16.20.2 and subsequent releases. Users are advised to upgrade to the patched versions to mitigate the risk (Node.js Blog).