In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade vm2 to version 3.11.4 or higher.
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.
Affected versions of this package are vulnerable to Improper Validation of Array Index through the defaultSandboxPrepareStackTrace function in lib/setup-sandbox.js. An attacker can observe or rewrite error.stack output by installing a setter on Array.prototype[N] or overriding Array.prototype.join before triggering stack formatting. The sandbox’s stack-trace formatter builds the stack in a sandbox-realm array and then joins it, so untrusted code can intercept the bridge-internal frame list and alter the string returned to application code.