Critical security vulnerability in vm2

TooTallNate / node-proxy-agent

Maps proxy protocols to `http.Agent` implementations

285 stars 69 forks source link

Critical security vulnerability in vm2 #74

Closed Havunen closed 1 year ago

Havunen commented 2 years ago

Sandbox bypass in vm2 - https://github.com/advisories/GHSA-6pw2-5hjv-9pf7 fix available via npm audit fix

node_modules/vm2

1 critical severity vulnerability

npm list vm2 shows this repository as part of the dependency chain


`-- ibm-openapi-validator@0.53.1
  `-- @stoplight/spectral-cli@6.2.0
    `-- proxy-agent@5.0.0
      `-- pac-proxy-agent@5.0.0
        `-- pac-resolver@5.0.0
          `-- degenerator@3.0.1
            `-- vm2@3.9.5

Connects to: https://github.com/TooTallNate/node-pac-proxy-agent/issues/46

dgilperez commented 2 years ago

Same here, happily looking for this to be fixed.

alasdairhurst commented 1 year ago

Looks like it is resolved, as well as CVE-2022-36067

└─┬ proxy-agent@5.0.0
  └─┬ pac-proxy-agent@5.0.0
    └─┬ pac-resolver@5.0.1
      └─┬ degenerator@3.0.2
        └── vm2@3.9.11

penfold45 commented 1 year ago

@alasdairhurst Not sure how you are getting that vm2 version but it does not appear to be directly from proxy-agent@5.0.0 as it does not appear to have been updated in over a year and I am still getting this problem

EDIT: ah for some reason I had to delete my package-lock.json and now its picking up vm2@3.9.11

CameronSima commented 1 year ago

3.9.11 is also now a vulnerable version, should now be upgraded to 3.9.17

TooTallNate commented 1 year ago

This code in this repository has been moved to the proxy-agents monorepo, so I am closing this pull request. If you feel that this issue still exists as of the latest release, feel free to open a new issue over there.