vm2 3.9.17 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the vm2 package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Remote Code Execution (RCE) vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to insufficient checks which allow an attacker to escape the sandbox. Note: According to the maintainer, the security issue cannot be properly addressed and the library will be discontinued. How to fix Remote Code Execution (RCE)? Upgrade `vm2` to version 3.10.0 or higher.	<3.10.0
C Remote Code Execution (RCE) vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Remote Code Execution (RCE) such that the `Promise` handler sanitization can be bypassed, allowing attackers to escape the sandbox. Note: According to the maintainer, the security issue cannot be properly addressed and the library will be discontinued. How to fix Remote Code Execution (RCE)? Upgrade `vm2` to version 3.10.0 or higher.	<3.10.0
C Sandbox Bypass vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Sandbox Bypass by abusing an unexpected creation of a host object based on the maliciously crafted specification of `Proxy`. Exploiting this vulnerability allows an attacker to gain remote code execution rights on the host running the sandbox via the `Function` constructor. How to fix Sandbox Bypass? Upgrade `vm2` to version 3.9.18 or higher.	<3.9.18
M Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the `inspect` method of `vm.js`, which allows `write` permissions. Exploiting this vulnerability allows an attacker to edit options for the `console.log` command. How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')? Upgrade `vm2` to version 3.9.18 or higher.	<3.9.18

Vulnerability

Vulnerable Version

Remote Code Execution (RCE)

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to insufficient checks which allow an attacker to escape the sandbox.

Note:

According to the maintainer, the security issue cannot be properly addressed and the library will be discontinued.

How to fix Remote Code Execution (RCE)?

Upgrade vm2 to version 3.10.0 or higher.

<3.10.0

Remote Code Execution (RCE)

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) such that the Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox.

Note:

According to the maintainer, the security issue cannot be properly addressed and the library will be discontinued.

How to fix Remote Code Execution (RCE)?

Upgrade vm2 to version 3.10.0 or higher.

<3.10.0

Sandbox Bypass

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Sandbox Bypass by abusing an unexpected creation of a host object based on the maliciously crafted specification of Proxy. Exploiting this vulnerability allows an attacker to gain remote code execution rights on the host running the sandbox via the Function constructor.

How to fix Sandbox Bypass?

Upgrade vm2 to version 3.9.18 or higher.

<3.9.18

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the inspect method of vm.js, which allows write permissions. Exploiting this vulnerability allows an attacker to edit options for the console.log command.

How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')?

Upgrade vm2 to version 3.9.18 or higher.

<3.9.18

vm2@3.9.17 vulnerabilities

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically