Sandbox Escape in vm2@3.9.15

patriksimek / vm2

Advanced vm/sandbox for Node.js

MIT License

3.86k stars 293 forks source link

Sandbox Escape in vm2@3.9.15 #516

Closed leesh3288 closed 1 year ago

leesh3288 commented 1 year ago

Hello, this is Xion (SeungHyun Lee) from KAIST Hacking Lab.

We have found a sandbox escape vulnerability in the vm2@3.9.15 (latest). As this is a security issue we would like to contact the administrators via email, but could not find any point of contact.

Could the administrators share an email address to send the vulnerability report? @XmiliaH @patriksimek

Regards, Xion.

leesh3288 commented 1 year ago

Done, appreciate the fast response!

XmiliaH commented 1 year ago

Thanks for the report.

XmiliaH commented 1 year ago

Fixed in release 3.9.16 (see advisory https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985)