Vulnerable Package issue exists @ Npm-vm2-3.9.11 in branch main
The vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 in versions prior to 3.9.18. It abuses an unexpected creation of a host object based on the specification of "Proxy". As a result, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Vulnerable Package issue exists @ Npm-vm2-3.9.11 in branch main
The vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 in versions prior to 3.9.18. It abuses an unexpected creation of a host object based on the specification of "Proxy". As a result, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Namespace: westonphillips Repository: CheckmarxOnePOV Repository Url: https://github.com/westonphillips/CheckmarxOnePOV CxAST-Project: westonphillips/CheckmarxOnePOV CxAST platform scan: 6a8170d0-38fa-4efc-81df-42628474102c Branch: main Application: CheckmarxOnePOV Severity: HIGH State: NOT_IGNORED Status: RECURRENT CWE: CWE-693
Additional Info Attack vector: NETWORK Attack complexity: LOW Confidentiality impact: HIGH Availability impact: HIGH Remediation Upgrade Recommendation: 3.9.18
References Advisory Disclosure Release Note Commit