thwalker6
commented
11 months ago https://github.com/thwalker6/serverless-cloudfront-invalidate
if you want to use this fork this will resolve it. I put it as serverless-cf-invalidate-proxy because I'm not to creative with names.
https://www.cve.org/CVERecord?id=CVE-2023-37903
The vm2 library is vulnerable to a remote code execution attack, and the library is discontinued and no further updates are expected there to fix this.
The dependency chain for this is:
serverless-cloudfront-invalidate@1.12.2 › proxy-agent@5.0.0 › pac-proxy-agent@5.0.0 › pac-resolver@5.0.1 › degenerator@3.0.4 › vm2@3.9.19
The fix for serverless-cloudfront-invalidate would be to upgrade to proxy-agent 6.3.0 or newer. Proxy-agent 6.3.0 transitions away from vm2 to quickjs-emscripten.
https://github.com/TooTallNate/proxy-agents/releases/tag/proxy-agent%406.3.0
https://github.com/TooTallNate/proxy-agents/releases/tag/pac-proxy-agent%407.0.0
There is a fix waiting in PR #43 already.