CRITICAL 9.8

GHSA-4w2j-2rg4-5mjw

vm2 vulnerable to Arbitrary Code Execution

상세

The package vm2 before 3.9.10 is vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / vm2

최초 영향 버전: 0 수정 버전: 3.9.10

수정 npm install vm2@3.9.10

참고

https://nvd.nist.gov/vuln/detail/CVE-2022-25893 [ADVISORY]
https://github.com/patriksimek/vm2/issues/444 [WEB]
https://github.com/patriksimek/vm2/pull/445 [WEB]
https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69 [WEB]
https://github.com/patriksimek/vm2 [PACKAGE]
https://security.snyk.io/vuln/SNYK-JS-VM2-2990237 [WEB]