CVE-2021-21413 – isolated-vm

Package

Manager: npm
Name: isolated-vm
Vulnerable Version: >=0 <4.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

EPSS: 0.00137 pctl0.34334

Details

Misuse of `Reference` and other transferable APIs may lead to access to nodejs isolate Versions of `isolated-vm` before v4.0.0, and especially before v3.0.0, have API pitfalls which may make it easy for implementers to expose supposed secure isolates to the permissions of the main nodejs isolate. `Reference` objects allow access to the underlying reference's full prototype chain. In an environment where the implementer has exposed a `Reference` instance to an attacker they would be able to use it to acquire a `Reference` to the nodejs context's `Function` object. Similar application-specific attacks could be possible by modifying the local prototype of other API objects. Access to `NativeModule` objects could allow an attacker to load and run native code from anywhere on the filesystem. If combined with, for example, a file upload API this would allow for arbitrary code execution. To address these issues the following changes were made in v4.0.0: - Documentation was updated with more explicit guidelines on building secure applications. - `Reference` instances will no longer follow prototype chains by default, nor will they invoke accessors or proxies. - All `isolated-vm` API prototypes are now immutable. - `NativeModule` constructor may only be invoked from a nodejs isolate.

Metadata

Created: 2021-04-06T17:22:55Z
Modified: 2021-03-30T22:27:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-mmhj-4w6j-76h7/GHSA-mmhj-4w6j-76h7.json
CWE IDs: ["CWE-913"]
Alternative ID: GHSA-mmhj-4w6j-76h7
Finding: F039
Auto approve: 1