Total
5 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-25893 | 1 Vm2 Project | 1 Vm2 | 2023-01-03 | N/A | 9.8 CRITICAL |
The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise. | |||||
CVE-2022-36067 | 1 Vm2 Project | 1 Vm2 | 2022-11-07 | N/A | 10.0 CRITICAL |
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds. | |||||
CVE-2019-10761 | 1 Vm2 Project | 1 Vm2 | 2022-07-21 | N/A | 8.3 HIGH |
This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script allowing it to spawn a child_process and execute arbitrary code. | |||||
CVE-2021-23555 | 1 Vm2 Project | 1 Vm2 | 2022-02-22 | 10.0 HIGH | 9.8 CRITICAL |
The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine. | |||||
CVE-2021-23449 | 1 Vm2 Project | 1 Vm2 | 2021-11-04 | 7.5 HIGH | 10.0 CRITICAL |
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine. |