GHSA-6pw2-5hjv-9pf7

Suggest an improvement
Source
https://github.com/advisories/GHSA-6pw2-5hjv-9pf7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-6pw2-5hjv-9pf7/GHSA-6pw2-5hjv-9pf7.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-6pw2-5hjv-9pf7
Aliases
Published
2022-02-12T00:00:38Z
Modified
2025-01-08T10:41:51.580342Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Sandbox bypass in vm2
Details

The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.

Database specific 
{
    "cwe_ids": [
        "CWE-1321"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2022-02-11T20:15:00Z",
    "severity": "CRITICAL",
    "github_reviewed_at": "2022-02-14T22:46:08Z"
}
References

Affected packages

npm / vm2

Package

Name
vm2
View open source insights on deps.dev
Purl
pkg:npm/vm2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.9.6