Does CVE-2023-39332 apply only to Node.js 20?

The description of CVE-2023-39332 says it only affects Node 20:

This vulnerability affects all users using the experimental permission model in Node.js 20

However, the Known Affected Software Configurations section indicates that all Node versions are affected.

The security release blog post mentions patches to both Node 18 and 20, however the CVE is only mentioned in Node 20's changelog and not Node 18's changelog.

The reason I ask is because our security scanning tool is flagging this CVE in our Node 18 images. I'm guessing this is because Node 18 is listed as an affected version even though that seems to be inaccurate. It seems our only recourse is to configure our scanner to ignore the CVE for Node 18.

Sometimes vulnerability reports are inaccurate and, as a consequence, scanning tools give inaccurate results. Sometimes inaccuracies are corrected over time, in other cases the report is simply marked as "DISPUTED" (see, for example, CVE-2022-40160, CVE-2023-39017 and CVE-2023-35116) or even "REJECTED" (see CVE-2022-41852) and it is not obvious what a scanning tool should do in these cases; for example the OWASP Dependency Check still reports the CVEs that I linked above. Note, in particular, that the "DISPUTED" and "REJECTED" labels are in the textual description of the reports that cannot be easily managed by an automatic tool.

For CVE-2023-39332 I tried to collect informations from various sources (as I always do in these cases) and found even more contradictions than the ones you already noted. My findings are:

1. The NIST, as you noted, says in the description that the CVE affects Node 20 only but it also says, in the metadata, that the CVE affects versions "Up to (excluding) 20.8.0".
2. CVE.org, on the contrary, says that only version 20.8.0 is affected and this is somewhat confirmed by Fedora's release notes (linked both by NIST and CVE.org) that cite Node 20.8.1 as the fixed version.
3. The security release blog post by Node mixes multiple vulnerabilities (not so clear), however
   • it cites version 20.8.1 as the fixed one for the 20.x line (according to CVE.org and Fedora),
   • it says that CVE-2023-39332 has level "high" and the "Impact" section says that only Node 20 has an "high" vulnerability.
4. The changelogs that you linked further confirm that the CVE affects v20 only.

In conclusion, if your tool reports CVE-2023-39332 on Node 18, I think it is a false positive.