CVE-2023-23920 in Node.js
Summary
by MITRE • 02/23/2023
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/03/2025
The vulnerability identified as CVE-2023-23920 represents a critical untrusted search path issue within Node.js runtime environments. This flaw affects multiple version branches including Node.js 19.x below 19.6.1, 18.x below 18.14.1, 16.x below 16.19.1, and 14.x below 14.21.3, creating a widespread impact across the Node.js ecosystem. The vulnerability specifically manifests when Node.js applications execute with elevated privileges, creating a dangerous attack surface where malicious actors can manipulate the ICU (International Components for Unicode) data loading process. The root cause stems from the application's failure to properly validate or sanitize the search paths used to locate ICU data files, allowing for path traversal and arbitrary code execution through crafted data manipulation.
The technical exploitation of this vulnerability leverages the inherent trust placed in the system's default search paths for ICU data resolution. When Node.js applications run with elevated privileges, the system searches through predefined directories to locate necessary internationalization resources. Attackers can manipulate this process by placing malicious ICU data files in directories that are searched before the legitimate system locations, effectively hijacking the data loading mechanism. This behavior aligns with CWE-427 Uncontrolled Search Path Element, which specifically addresses the risk of applications searching directories in an uncontrolled manner. The vulnerability enables attackers to bypass normal security restrictions and potentially execute arbitrary code with the privileges of the running Node.js process, making it particularly dangerous in environments where Node.js applications are granted elevated permissions.
The operational impact of CVE-2023-23920 extends beyond simple privilege escalation, as it can facilitate broader system compromise when Node.js applications operate with administrative privileges. This vulnerability is particularly concerning in containerized environments, serverless architectures, and microservices deployments where Node.js applications often run with elevated permissions to perform necessary system operations. The attack vector is especially dangerous when combined with other exploitation techniques, as it can serve as a foothold for more sophisticated attacks within the system. Organizations using Node.js in production environments may face significant security implications, including potential data breaches, service disruption, and unauthorized access to sensitive system resources. The vulnerability's impact is amplified in environments where Node.js applications handle sensitive data processing or perform administrative functions, as the privilege escalation could lead to complete system compromise.
Mitigation strategies for CVE-2023-23920 should prioritize immediate version upgrades to patched releases of Node.js, specifically targeting versions 19.6.1, 18.14.1, 16.19.1, and 14.21.3 respectively. System administrators should implement comprehensive patch management protocols to ensure all Node.js installations are updated promptly across all environments. Additionally, organizations should consider implementing strict file system permissions and access controls for ICU data directories, ensuring that only authorized processes can modify or create files in these locations. The implementation of runtime monitoring and intrusion detection systems can help identify suspicious file system activities related to ICU data loading. Security teams should also conduct thorough code reviews to identify applications that may be running with elevated privileges unnecessarily, as this vulnerability is only exploitable when Node.js executes with elevated permissions. Organizations should consider implementing the principle of least privilege, ensuring that Node.js applications operate with minimal required permissions to reduce the potential impact of such vulnerabilities. This vulnerability demonstrates the importance of secure coding practices and proper input validation, aligning with ATT&CK technique T1068 Privilege Escalation through the exploitation of untrusted search paths.