CVE-2023-23920 is an untrusted search path vulnerability (CWE-426) identified in Node.js versions prior to 19.6.1, 18.14.1, 16.19.1, and 14.21.3. This vulnerability arises because Node.js, when running with elevated privileges, may search for and load ICU (International Components for Unicode) data from untrusted directories. ICU data is critical for internationalization support, including locale-specific formatting and collation. An attacker with local access and the ability to influence the search path could place malicious ICU data files in a location that Node.js prioritizes during its search. When Node.js loads these malicious files, it could lead to integrity violations, potentially allowing the attacker to alter the behavior of Node.js applications or escalate privileges. The vulnerability requires that Node.js is executed with high privileges (e.g., root or administrator) and that the attacker has some level of local access to manipulate the file system or environment variables affecting the search path. User interaction is required, as the CVSS vector indicates UI:R (user interaction required). The CVSS score of 4.2 (medium severity) reflects that while the impact on integrity is high, the attack vector is local with low attack complexity and requires elevated privileges and user interaction. There are no known exploits in the wild as of the publication date, and no official patches are linked in the provided data, though fixed versions are indicated by the version thresholds. This vulnerability is particularly relevant for environments where Node.js runs with elevated privileges and where the system’s directory search order can be influenced by an attacker.

For European organizations, the impact of this vulnerability depends largely on the deployment context of Node.js. Enterprises running Node.js applications with elevated privileges—such as backend services, system utilities, or development tools—may be at risk of integrity compromise if an attacker can manipulate the ICU data loading path. This could lead to altered application behavior, potential privilege escalation, or unauthorized code execution within the Node.js runtime environment. While confidentiality and availability impacts are minimal or none, the integrity impact is significant. Organizations in sectors with stringent data integrity requirements, such as finance, healthcare, and critical infrastructure, could face operational disruptions or compliance issues if exploited. The requirement for local access and elevated privileges limits remote exploitation, but insider threats or attackers who gain initial footholds on systems could leverage this vulnerability to deepen their access. Given the widespread use of Node.js across European enterprises, especially in digital services, e-commerce, and public sector applications, the vulnerability could affect a broad range of organizations if not mitigated.

1. Upgrade Node.js to versions 19.6.1, 18.14.1, 16.19.1, 14.21.3 or later, where this vulnerability has been addressed. 2. Avoid running Node.js processes with elevated privileges unless absolutely necessary; apply the principle of least privilege to limit the potential impact. 3. Harden the environment by restricting write permissions on directories included in the ICU data search path to trusted users only, preventing attackers from placing malicious files. 4. Monitor and audit file system changes in directories involved in ICU data loading to detect unauthorized modifications. 5. Use containerization or sandboxing to isolate Node.js processes, reducing the risk that compromised ICU data affects the broader system. 6. Review and control environment variables and system PATH settings that influence search paths to prevent untrusted directories from being prioritized. 7. Implement host-based intrusion detection systems (HIDS) to alert on suspicious file placements or privilege escalations related to Node.js processes. 8. Educate developers and system administrators about the risks of running Node.js with elevated privileges and the importance of secure configuration.