Closed adamjmcgrath closed 1 year ago
Semgrep found 1 ssc-ee6f7d49-6c2e-4e70-ae96-e1f32647e936
finding:
Risk: vm2 versions before 3.9.17 are vulnerable to Improper Neutralization Of Special Elements In Output Used By A Downstream Component ('Injection'). An attacker can raise an unsanitized host exception inside handleException() which can be used to escape the sandbox and run arbitrary code in host context.
Fix: Upgrade this library to at least version 3.9.17 at node-auth0/package-lock.json:24323.
Reference(s): https://github.com/advisories/GHSA-ch3r-j5x3-6q2m, CVE-2023-30547
Created by ssc-ee6f7d49-6c2e-4e70-ae96-e1f32647e936.
#
Semgrep found 1 ssc-1286f396-f1d3-46c6-9e68-74429d10c3c4
finding:
Risk: vm2 versions before 3.9.15 are vulnerable to Improper Control Of Dynamically-Managed Code Resources due to improper control of dynamically-managed code resources related to Error.prepareStackTrace in unhandled async errors. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
Fix: Upgrade this library to at least version 3.9.15 at node-auth0/package-lock.json:24323.
Reference(s): https://github.com/advisories/GHSA-7jxr-cg7f-gpgv, CVE-2023-29017
Created by ssc-1286f396-f1d3-46c6-9e68-74429d10c3c4.
Changes
Add ability to pass
agent
,timeoutDuration
andheaders
to the api and jwks requests.