CVE-2022-32223

This vulnerability can be exploited if the victim has the following dependencies on Windows machine:

OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.
Whenever the above conditions are present, node.exe will search for providers.dll in the current user directory. After that, node.exe will try to search for providers.dll by the DLL Search Order in Windows.

It is possible for an attacker to place the malicious file providers.dll under a variety of paths and exploit this vulnerability.

More details will be available at CVE-2022-32223 after publication.

Thank you to Yakir Kadkoda from Aqua Security for reporting this vulnerability.

Impacts:

All versions of the 16.x, and 14.x releases lines.
Note:

This is a breaking change that has been made to the v14.x, v16.x, and v18.x releases lines.
Node.js can use an OpenSSL configuration file by specifying the environment variable OPENSSL_CONF, or using the command line option --openssl-conf, and if none of those are specified will default to reading the default OpenSSL configuration file openssl.cnf. Node.js will only read a section that is by default named nodejs_conf.

If your installation was using the default openssl.cnf file and is affected by this breaking change you can fall back to the previous behavior by:

Adding --openssl-shared-config to the command line; or
Creating a new nodejs_conf section in that file and copying the contents of the default section into the new nodejs_conf section.

https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/