search

TooTallNate / proxy-agents

Node.js HTTP Proxy Agents Monorepo
https://proxy-agents.n8.io
872 stars 229 forks source link

critical security vulnerablility in dependency vm2 #240

Closed ctbaird closed 10 months ago

ctbaird commented 10 months ago

There is a critical security vulnerability in vm2, a dependency of degenerator: 

vm2  *
Severity: critical
vm2 Sandbox Escape vulnerability - https://github.com/advisories/GHSA-cchq-frgv-rjh5
fix available via `npm audit fix`
node_modules/vm2
  degenerator  3.0.0 - 4.0.4
  Depends on vulnerable versions of vm2
  node_modules/snowflake-sdk/node_modules/degenerator

npm install message warns that this package should not be used: 

npm WARN deprecated vm2@3.9.19: The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.

There is also this issue with a notice from the maintainer: https://github.com/patriksimek/vm2/issues/533

TooTallNate commented 10 months ago

This was fixed in https://github.com/TooTallNate/proxy-agents/pull/224.