Homepage
About Snyk

Remote Code Execution (RCE) Affecting isolated-vm package, versions <4.3.7

Severity

 Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.3% (70th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-ISOLATEDVM-3037320
  • published 30 Sep 2022
  • disclosed 30 Sep 2022
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 30 Sep 2022

CVE-2022-39266 Open this link in a new tab
CWE-693 Open this link in a new tab

How to fix?

Upgrade isolated-vm to version 4.3.7 or higher.

Overview

isolated-vm is an Access to multiple isolates

Affected versions of this package are vulnerable to Remote Code Execution (RCE) when untrusted v8 cached data is passed to the API through CachedDataOptions, by allowing attackers to bypass the sandbox and run arbitrary code in the nodejs process.

Note:

This issue has been addressed by improving the documentation.

״CachedData contains compiled machine code. That means you should not accept cachedData payloads from a user, otherwise they may be able to run arbitrary code.״

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
9.6 critical
  • Attack Vector (AV)
    Adjacent
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

9.8 critical