CVE-2021-23555 – vm2

Package

Manager: npm
Name: vm2
Vulnerable Version: >=0 <3.9.6

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00222 pctl0.44779

Details

Sandbox bypass in vm2 The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.

Metadata

Created: 2022-02-12T00:00:38Z
Modified: 2022-02-24T13:46:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-6pw2-5hjv-9pf7/GHSA-6pw2-5hjv-9pf7.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-6pw2-5hjv-9pf7
Finding: F390
Auto approve: 1