You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.
Affected versions of this package are vulnerable to Sandbox Bypass by abusing an unexpected creation of a host object based on the maliciously crafted specification of Proxy.
Exploiting this vulnerability allows an attacker to gain remote code execution rights on the host running the sandbox via the Function constructor.
Detailed paths
Overview
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.
Affected versions of this package are vulnerable to Sandbox Bypass by abusing an unexpected creation of a host object based on the maliciously crafted specification of
Proxy
.Exploiting this vulnerability allows an attacker to gain remote code execution rights on the host running the sandbox via the
Function
constructor.PoC
Remediation
Upgrade
vm2
to version 3.9.18 or higher.References
SNYK-JS-VM2-5537100
(CVE-2023-32314) vm2@3.9.11
The text was updated successfully, but these errors were encountered: