@boxlite-ai/boxlite@0.4.3
BoxLite - Embeddable micro-VM runtime for secure, isolated code execution
latest version
0.9.5
latest non vulnerable version
first published
4 months ago
latest version published
10 days ago
licenses detected
- >=0
Direct Vulnerabilities
Known vulnerabilities in the @boxlite-ai/boxlite package. This does not include vulnerabilities belonging to this package’s dependencies.
Fix vulnerabilities automatically
Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.
Fix for free| Vulnerability | Vulnerable Version |
|---|---|
@boxlite-ai/boxlite is a BoxLite - Embeddable micro-VM runtime for secure, isolated code execution Affected versions of this package are vulnerable to Symlink Attack via improper path resolution during extraction of OCI image layer tarballs. An attacker can write arbitrary files to locations outside the intended extraction root by crafting a layer with a symlink pointing to an absolute host path and including file entries that traverse this symlink. How to fix Symlink Attack? Upgrade | <0.9.0 |
@boxlite-ai/boxlite is a BoxLite - Embeddable micro-VM runtime for secure, isolated code execution Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization in the mounting of host directories in read-only mode into VM. An attacker can gain unauthorized write access to the host filesystem by remounting a shared directory as read-write from within the guest environment. How to fix Improper Isolation or Compartmentalization? Upgrade | <0.9.0 |