CVE-2022-25893

Опубликовано: 21 дек. 2022

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.

Ссылки

https://github.com/patriksimek/vm2/issues/444
Exploit
Issue Tracking
Third Party Advisory
https://github.com/patriksimek/vm2/pull/445
Patch
Third Party Advisory
https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69
Patch
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-VM2-2990237
Exploit
Patch
Third Party Advisory
https://github.com/patriksimek/vm2/issues/444
Exploit
Issue Tracking
Third Party Advisory
https://github.com/patriksimek/vm2/pull/445
Patch
Third Party Advisory
https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69
Patch
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-VM2-2990237
Exploit
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*

Версия до 3.9.10 (исключая)

EPSS

Процентиль: 65%

0.00495

Низкий

9.8 Critical

CVSS3

Дефекты

NVD-CWE-noinfo

CWE-471

Связанные уязвимости

GHSA-4w2j-2rg4-5mjw