Описание
vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed with the @@species accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox. Version 3.10.0 contains a patch for the issue.
Ссылки
- ExploitVendor Advisory
- ExploitVendor Advisory
Уязвимые конфигурации
EPSS
9.8 Critical
CVSS3
10 Critical
CVSS3
Дефекты
Связанные уязвимости
vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox.
Уязвимость библиотеки vm2 пакетного менеджера NPM, связанная с неверным управлением генерацией кода, позволяющая нарушителю выйти из изолированной программной среды и выполнить произвольный код
EPSS
9.8 Critical
CVSS3
10 Critical
CVSS3