vm2 critical vulnerability RCE the library will be discontinued (pm2@5.3.0)

[boxexchanger]

Overview

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) such that handler sanitization can be bypassed, allowing attackers to escape the sandbox.

Introduced

pm2@5.3.0 › @pm2/agent@2.0.1 › proxy-agent@5.0.0 › pac-proxy-agent@5.0.0 › pac-resolver@5.0.1 › degenerator@3.0.4 › vm2@3.9.19

How to fix?

There is no fixed version for vm2.

Note:

According to the maintainer, the security issue cannot be properly addressed and the library will be discontinued.

References

GitHub Issue
SNYK-JS-VM2-5772825

[egaudry]

TooTallNate/proxy-agents#218

[mterrel]

The proxy-agent dependency just released a new version 6.3.0 that no longer depends on vm2: https://github.com/TooTallNate/proxy-agents/releases

[gabrielenosso]

vm2 critical security issue - same as here: #5643
Need this fixed ASAP for CI/CD Pipeline which recognizes this as a Critical risk

[cklat]

The proxy-agent dependency just released a new version 6.3.0 that no longer depends on vm2: https://github.com/TooTallNate/proxy-agents/releases

Is there a way to update a project that uses vm2 to install the newer version of the dependent packages instead of the broken ones for the time vm2 itself doesn't update it?

[j1mmie]

This critical vulnerability has existed for 9 months. Any intention to address this?

[Chiroyce1]

This critical vulnerability has existed for 9 months. Any intention to address this?

What? So pm2 still hasn't addressed this yet? I wanted to start using it but first ran into #5642 and now this as well?