vm2@3.7.0 vulnerabilities

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!

  • latest version

    3.9.19

  • first published

    10 years ago

  • latest version published

    1 years ago

  • deprecated

    Package is deprecated

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the vm2 package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    Remote Code Execution (RCE)

    vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

    Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to insufficient checks which allow an attacker to escape the sandbox.

    Note:

    According to the maintainer, the security issue cannot be properly addressed and the library will be discontinued.

    How to fix Remote Code Execution (RCE)?

    There is no fixed version for vm2.

    *
    • C
    Remote Code Execution (RCE)

    vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

    Affected versions of this package are vulnerable to Remote Code Execution (RCE) such that the Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox.

    Note:

    According to the maintainer, the security issue cannot be properly addressed and the library will be discontinued.

    How to fix Remote Code Execution (RCE)?

    There is no fixed version for vm2.

    *
    • C
    Sandbox Bypass

    vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

    Affected versions of this package are vulnerable to Sandbox Bypass by abusing an unexpected creation of a host object based on the maliciously crafted specification of Proxy. Exploiting this vulnerability allows an attacker to gain remote code execution rights on the host running the sandbox via the Function constructor.

    How to fix Sandbox Bypass?

    Upgrade vm2 to version 3.9.18 or higher.

    <3.9.18
    • M
    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

    vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

    Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the inspect method of vm.js, which allows write permissions. Exploiting this vulnerability allows an attacker to edit options for the console.log command.

    How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')?

    Upgrade vm2 to version 3.9.18 or higher.

    <3.9.18
    • C
    Improper Handling of Exceptional Conditions

    vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

    Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions due to allowing attackers to raise an unsanitized host exception inside handleException() which can be used to escape the sandbox and run arbitrary code in host context.

    How to fix Improper Handling of Exceptional Conditions?

    Upgrade vm2 to version 3.9.17 or higher.

    <3.9.17
    • C
    Sandbox Escape

    vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

    Affected versions of this package are vulnerable to Sandbox Escape. There exists a vulnerability in source code transformer (exception sanitization logic), allowing attackers to bypass handleException() and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context.

    How to fix Sandbox Escape?

    Upgrade vm2 to version 3.9.16 or higher.

    <3.9.16
    • C
    Sandbox Escape

    vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

    Affected versions of this package are vulnerable to Sandbox Escape due to improper handling of host objects passed to Error.prepareStackTrace in case of unhandled async errors.

    How to fix Sandbox Escape?

    Upgrade vm2 to version 3.9.15 or higher.

    <3.9.15
    • C
    Arbitrary Code Execution

    vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

    Affected versions of this package are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.

    How to fix Arbitrary Code Execution?

    Upgrade vm2 to version 3.9.10 or higher.

    <3.9.10
    • C
    Sandbox Bypass

    vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

    Affected versions of this package are vulnerable to Sandbox Bypass via indirect access to host.Object during preparation of stacktraces, which can lead to execution of arbitrary code on the host machine.

    How to fix Sandbox Bypass?

    Upgrade vm2 to version 3.9.11 or higher.

    <3.9.11
    • C
    Sandbox Bypass

    vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

    Affected versions of this package are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.

    How to fix Sandbox Bypass?

    Upgrade vm2 to version 3.9.6 or higher.

    <3.9.6
    • C
    Sandbox Bypass

    vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

    Affected versions of this package are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.

    PoC

    const {VM} = require("vm2");
    let vmInstance = new VM();
    
    let code = `    
        res = eval('import(\\'./foo.js\\');')    
        res.__proto__.__proto__.polluted = res.__proto__.__proto__.toString.constructor("return this")().process.mainModule.require("child_process").execSync("touch HACKED").toString();
    `;
    vmInstance.run(code);
    console.log(polluted);
    

    How to fix Sandbox Bypass?

    Upgrade vm2 to version 3.9.4 or higher.

    <3.9.4