Vulnerable Package issue exists @ Npm-vm2-3.9.11 in branch main
The package vm2 is a sandbox that can run untrusted code with Node's built-in modules. In vm2 versions prior to 3.9.18, it was possible to get a read-write reference to the node "inspect" method and edit options for "console.log". As a result, a threat actor can edit options for the "console.log" command. Users are advised to upgrade. Users unable to upgrade may make the "inspect" method read-only with "vm.readonly(inspect)" after creating a VM.
Vulnerable Package issue exists @ Npm-vm2-3.9.11 in branch main
The package vm2 is a sandbox that can run untrusted code with Node's built-in modules. In vm2 versions prior to 3.9.18, it was possible to get a read-write reference to the node "inspect" method and edit options for "console.log". As a result, a threat actor can edit options for the "console.log" command. Users are advised to upgrade. Users unable to upgrade may make the "inspect" method read-only with "vm.readonly(inspect)" after creating a VM.
Namespace: westonphillips Repository: CheckmarxOnePOV Repository Url: https://github.com/westonphillips/CheckmarxOnePOV CxAST-Project: westonphillips/CheckmarxOnePOV CxAST platform scan: 6a8170d0-38fa-4efc-81df-42628474102c Branch: main Application: CheckmarxOnePOV Severity: MEDIUM State: NOT_IGNORED Status: RECURRENT CWE: CWE-74
Additional Info Attack vector: NETWORK Attack complexity: LOW Confidentiality impact: NONE Availability impact: NONE Remediation Upgrade Recommendation: 3.9.18
References Advisory Commit Release Note POC/Exploit