You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Medium severity - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in vm2 (package.json)
#152
Open
github-actionsbot opened this issue
Jun 9, 2023
· 0 comments
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.
Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the inspect method of vm.js, which allows write permissions.
Exploiting this vulnerability allows an attacker to edit options for the console.log command.
Workaround
Users unable to upgrade may make the inspect method readonly with vm.readonly(inspect) after creating a VM.
Detailed paths
Overview
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.
Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the
inspect
method ofvm.js
, which allowswrite
permissions.Exploiting this vulnerability allows an attacker to edit options for the
console.log
command.Workaround
Users unable to upgrade may make the
inspect
methodreadonly
withvm.readonly(inspect)
after creating a VM.Remediation
Upgrade
vm2
to version 3.9.18 or higher.References
SNYK-JS-VM2-5537079
(CVE-2023-32313) vm2@3.9.11
The text was updated successfully, but these errors were encountered: