CRITICAL 9.8

GHSA-6pw2-5hjv-9pf7

Sandbox bypass in vm2

Details

The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / vm2

Introduced in: 0 Fixed in: 3.9.6

Fix npm install vm2@3.9.6

References

https://nvd.nist.gov/vuln/detail/CVE-2021-23555 [ADVISORY]
https://github.com/patriksimek/vm2/commit/532120d5cdec7da8225fc6242e154ebabc63fe4d [WEB]
https://github.com/patriksimek/vm2 [PACKAGE]
https://snyk.io/vuln/SNYK-JS-VM2-2309905 [WEB]