CVE-2023-39333
Description
Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module.
This vulnerability affects users of any active release line of Node.js. The vulnerable feature is only available if Node.js is started with the --experimental-wasm-modules command line option.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Crafted WebAssembly export names can inject JavaScript code in Node.js when using experimental WebAssembly modules, potentially allowing access to restricted data.
Vulnerability
Overview
CVE-2023-39333 is a code injection vulnerability in Node.js that arises when the experimental WebAssembly modules feature is enabled via the --experimental-wasm-modules command-line option. Maliciously crafted export names in an imported WebAssembly module can inject arbitrary JavaScript code into the Node.js process. This occurs because the export names are not properly sanitized before being evaluated, allowing an attacker to break out of the expected context.
Exploitation
Conditions
To exploit this vulnerability, an attacker must supply a WebAssembly module with specially crafted export names. The vulnerable feature is only active if Node.js is started with the --experimental-wasm-modules flag, which is not enabled by default. The injected JavaScript code runs in the same privilege context as the Node.js application, potentially accessing data and functions that the WebAssembly module itself does not have access to, similar to a JavaScript module.
Impact
Successful exploitation could allow an attacker to access sensitive data or call internal functions that are not exposed to the WebAssembly module. This could lead to information disclosure, privilege escalation, or further compromise of the Node.js application and its environment.
Mitigation
Node.js released security updates for the v18.x and v20.x release lines in October 2023 to address this vulnerability [1]. Users are strongly advised to upgrade to the latest patched versions. As an additional precaution, users who do not require the experimental WebAssembly modules feature should avoid enabling it with --experimental-wasm-modules.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
26- osv-coords25 versionspkg:apk/chainguard/nodejs-16-docpkg:apk/wolfi/nodejs-16-docpkg:bitnami/nodepkg:bitnami/node-minpkg:rpm/almalinux/nodejspkg:rpm/almalinux/nodejs-develpkg:rpm/almalinux/nodejs-docspkg:rpm/almalinux/nodejs-full-i18npkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/nodejs-packaging-bundlerpkg:rpm/almalinux/npmpkg:rpm/opensuse/nodejs20&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nodejs-electron&distro=openSUSE%20Tumbleweedpkg:rpm/suse/nodejs16&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP4pkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/nodejs16&distro=SUSE%20Manager%20Server%204.2pkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP4pkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5
< 16.20.2-r15+ 24 more
- (no CPE)range: < 16.20.2-r15
- (no CPE)range: < 16.20.2-r15
- (no CPE)range: < 18.18.2
- (no CPE)range: < 18.18.2
- (no CPE)range: < 1:18.18.2-2.module_el9.2.0+43+3ebc9e20
- (no CPE)range: < 1:18.18.2-2.module_el9.2.0+43+3ebc9e20
- (no CPE)range: < 1:18.18.2-2.module_el9.2.0+43+3ebc9e20
- (no CPE)range: < 1:18.18.2-2.module_el9.2.0+43+3ebc9e20
- (no CPE)range: < 3.0.1-1.module_el9.2.0+36+853e48f5
- (no CPE)range: < 2021.06-4.module_el9.1.0+13+d9a595ea
- (no CPE)range: < 2021.06-4.module_el9.1.0+13+d9a595ea
- (no CPE)range: < 1:9.8.1-1.18.18.2.2.module_el9.2.0+43+3ebc9e20
- (no CPE)range: < 20.8.1-1.1
- (no CPE)range: < 25.9.1-2.1
- (no CPE)range: < 16.20.2-150300.7.30.1
- (no CPE)range: < 16.20.2-150300.7.30.1
- (no CPE)range: < 16.20.2-150300.7.30.1
- (no CPE)range: < 16.20.2-8.36.1
- (no CPE)range: < 16.20.2-150400.3.27.2
- (no CPE)range: < 16.20.2-150300.7.30.1
- (no CPE)range: < 16.20.2-150300.7.30.1
- (no CPE)range: < 16.20.2-150300.7.30.1
- (no CPE)range: < 18.18.2-8.15.1
- (no CPE)range: < 18.18.2-150400.9.15.1
- (no CPE)range: < 18.18.2-150400.9.15.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.