Vulnerability in pm2@5.3.0 Sandbox Escape

[The-Caesar]

What's going wrong?

• github caught a vulnerability in vm2 < 3.9.17 https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5
• This packaged is used by pm2@5.3.0 › pm2 > @pm2/agent > proxy-agent > pac-proxy-agent > pac-resolver > degenerator > vm2

How could we reproduce this issue?

Supporting information

Solution would be to update vm2 dependency to > 3.9.18. Fixed https://www.mend.io/vulnerability-database/CVE-2023-32314

$ pm2 report

[gerzenstl]

Hi PM2 Team.

Any update on this?

[dilanka-att]

Same any update on this?

[dilanka-att]

Ok so looks like reinstall of pm2@5.3.0 just fixes that and installed the dependency without the CVE affected vm2 version

[gerzenstl]

I can confirm that reinstalling pm2 to the last version fixes the problem.

Note: In my case I use it installed globally

~ npm list vm2 -g
/usr/lib
└─┬ pm2@5.3.0
  └─┬ @pm2/agent@2.0.1
    └─┬ proxy-agent@5.0.0
      └─┬ pac-proxy-agent@5.0.0
        └─┬ pac-resolver@5.0.1
          └─┬ degenerator@3.0.4
            └── vm2@3.9.17

Reinstall:

~ npm uninstall -g pm2
...

~ npm install -g pm2
...

Result:

~ npm list vm2 -g
/usr/lib
└─┬ pm2@5.3.0
  └─┬ @pm2/agent@2.0.1
    └─┬ proxy-agent@5.0.0
      └─┬ pac-proxy-agent@5.0.0
        └─┬ pac-resolver@5.0.1
          └─┬ degenerator@3.0.4
            └── vm2@3.9.19