CVE-2023-23919

Summary

A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.

Affected Software

VendorProductVersion RangeStatus
NodeJSNode4.0 < 4.*affected
NodeJSNode5.0 < 5.*affected
NodeJSNode6.0 < 6.*affected
NodeJSNode7.0 < 7.*affected
NodeJSNode8.0 < 8.*affected
NodeJSNode9.0 < 9.*affected
NodeJSNode10.0 < 10.*affected
NodeJSNode11.0 < 11.*affected
NodeJSNode12.0 < 12.*affected
NodeJSNode13.0 < 13.*affected
NodeJSNode14.0 < 14.21.3affected
NodeJSNode15.0 < 15.*affected
NodeJSNode16.0 < 16.19.1affected
NodeJSNode17.0 < 17.*affected
NodeJSNode18.0 < 18.14.1affected
NodeJSNode19.0 < 19.2.0affected

Weaknesses

  • CWE-310: Cryptographic Issues - Generic (CWE-310)

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References