CVE-2022-39266 – isolated-vm

Package

Manager: npm
Name: isolated-vm
Vulnerable Version: >=0 <4.3.7

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00048 pctl0.1455

Details

isolated-vm has vulnerable CachedDataOptions in API ### Impact If the untrusted v8 cached data is passed to the API through CachedDataOptions, the attackers can bypass the sandbox and run arbitrary code in the nodejs process. Version 4.3.7 changes the documentation to warn users that they should not accept `cachedData` payloads from a user.

Metadata

Created: 2022-09-30T22:59:03Z
Modified: 2023-08-24T22:25:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-2jjq-x548-rhpv/GHSA-2jjq-x548-rhpv.json
CWE IDs: ["CWE-20", "CWE-287", "CWE-693"]
Alternative ID: GHSA-2jjq-x548-rhpv
Finding: F184
Auto approve: 1