fix(security): degenerator dependency obtains a CRITICAL security ris… - Githubissues

TooTallNate / proxy-agents

Node.js HTTP Proxy Agents Monorepo

https://proxy-agents.n8.io

919 stars 238 forks source link

fix(security): degenerator dependency obtains a CRITICAL security ris… #199

Closed ohadsh535 closed 1 year ago

ohadsh535 commented 1 year ago

fix(security): degenerator dependency obtains a CRITICAL security risk on vm2 version CVE-2023-32314

See https://nvd.nist.gov/vuln/detail/CVE-2023-32314, for further details.

"vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of Proxy. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.18 of vm2. Users are advised to upgrade. There are no known workarounds for this vulnerability."

changeset-bot[bot] commented 1 year ago

🦋 Changeset detected

Latest commit: a42ec6725292bd08dad3a02881c88dda30f2efa2

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

| Name | Type | | ----------- | ----- | | degenerator | Patch |

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

vercel[bot] commented 1 year ago

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
proxy-agents	✅ Ready (Inspect)	Visit Preview	Jun 17, 2023 8:18am

ohadsh535 commented 1 year ago

While regenerating pnpm lock file, noticed 2 more packages to assess.

async-cache@1.1.0 sprintf@0.1.5

CleanShot 2023-06-13 at 13 39 25