vm2 vulnerable to sandbox escape - CVE-2023-29017 #2474
Comments
This was referenced May 2, 2023
junkaixue
pushed a commit
that referenced
this issue
May 4, 2023
specify vm2 at least 3.9.17 in helix-front package.resolutions (#2474 )
xyuanlu
pushed a commit
to xyuanlu/helix
that referenced
this issue
May 20, 2023
…e#2479) specify vm2 at least 3.9.17 in helix-front package.resolutions (apache#2474 )
rahulrane50
pushed a commit
to rahulrane50/helix
that referenced
this issue
May 31, 2023
…e#2479) specify vm2 at least 3.9.17 in helix-front package.resolutions (apache#2474 )
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue:
Npm library vm2 is vulnerable to sandbox escape resulting in remote code execution.
Description:
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to
Error.prepareStackTracein case of unhandled async errors.In helix-front, vm2 is a child dependency of dependency proxy-agent.
Impact:
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
Recommendation:
References
GHSA-7jxr-cg7f-gpgv
https://nvd.nist.gov/vuln/detail/CVE-2023-29017
patriksimek/vm2#515
patriksimek/vm2@d534e57
https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d
The text was updated successfully, but these errors were encountered: