This vulnerability is trending on Twitter; this may indicate a growing threat.
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade vm2 to version 3.11.4 or higher.
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.
Affected versions of this package are vulnerable to Protection Mechanism Failure through the NodeVM builtin wildcard expansion in lib/builtin.js. An attacker can load Node’s private underscored network and stream builtins by supplying builtin: ['*', '-http', '-https', '-net', '-dgram', '-tls', '-dns', '-http2'] and then requiring modules such as _http_client, _http_server, or _tls_wrap. This lets sandboxed code make outbound HTTP requests or open listening sockets despite the embedder’s network exclusions, exposing localhost services, cloud metadata endpoints, and internal admin interfaces to requests originating from the host process.