CVE-2021-23449 – vm2

Package

Manager: npm
Name: vm2
Vulnerable Version: >=0 <3.9.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00602 pctl0.68565

Details

Prototype Pollution in vm2 This affects the package vm2 before 3.9.4. Prototype Pollution attack vector can lead to sandbox escape and execution of arbitrary code on the host machine.

Metadata

Created: 2021-10-19T15:28:45Z
Modified: 2021-10-19T14:18:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-rjf2-j2r6-q8gr/GHSA-rjf2-j2r6-q8gr.json
CWE IDs: ["CWE-1321", "CWE-915"]
Alternative ID: GHSA-rjf2-j2r6-q8gr
Finding: F390
Auto approve: 1