CVE-2022-25893 – vm2

Package

Manager: npm
Name: vm2
Vulnerable Version: >=0 <3.9.10

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00126 pctl0.32621

Details

vm2 vulnerable to Arbitrary Code Execution The package vm2 before 3.9.10 is vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.

Metadata

Created: 2022-12-21T06:30:29Z
Modified: 2022-12-22T03:33:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4w2j-2rg4-5mjw/GHSA-4w2j-2rg4-5mjw.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-4w2j-2rg4-5mjw
Finding: F422
Auto approve: 1