CRITICAL 9.8

GHSA-4w2j-2rg4-5mjw

vm2 vulnerable to Arbitrary Code Execution

Details

The package vm2 before 3.9.10 is vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / vm2

Introduced in: 0 Fixed in: 3.9.10

Fix npm install vm2@3.9.10

References

https://nvd.nist.gov/vuln/detail/CVE-2022-25893 [ADVISORY]
https://github.com/patriksimek/vm2/issues/444 [WEB]
https://github.com/patriksimek/vm2/pull/445 [WEB]
https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69 [WEB]
https://github.com/patriksimek/vm2 [PACKAGE]
https://security.snyk.io/vuln/SNYK-JS-VM2-2990237 [WEB]