Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sandbox Escape in vm2@3.9.15 #516

Closed
leesh3288 opened this issue Apr 8, 2023 · 3 comments
Closed

Sandbox Escape in vm2@3.9.15 #516

leesh3288 opened this issue Apr 8, 2023 · 3 comments
Labels
bug confirmed

Comments

@leesh3288
Copy link

Hello, this is Xion (SeungHyun Lee) from KAIST Hacking Lab.

We have found a sandbox escape vulnerability in the vm2@3.9.15 (latest).
As this is a security issue we would like to contact the administrators via email, but could not find any point of contact.

Could the administrators share an email address to send the vulnerability report? @XmiliaH @patriksimek

Regards,
Xion.
@leesh3288
Copy link
Author

Done, appreciate the fast response!

@XmiliaH
Copy link
Collaborator

XmiliaH commented Apr 8, 2023

Thanks for the report.

@sickcodes sickcodes mentioned this issue Apr 8, 2023
Closed
@fraxken fraxken mentioned this issue Apr 9, 2023
Open
@XmiliaH
Copy link
Collaborator

XmiliaH commented Apr 11, 2023

Fixed in release 3.9.16 (see advisory GHSA-xj72-wvfv-8985)

@XmiliaH XmiliaH closed this as completed Apr 11, 2023
kirk-sayre-work added a commit to kirk-sayre-work/box-js that referenced this issue Apr 12, 2023
@kirk-sayre-work
Upgrade vm2 to 3.9.16 (see patriksimek/vm2#516).
118d03c
@github-actions github-actions bot mentioned this issue May 1, 2023
Open
@TheKingTermux TheKingTermux mentioned this issue May 2, 2023
Closed
4 tasks
@0x4248 0x4248 mentioned this issue May 16, 2023
Merged
lucasmarshall pushed a commit to supaglue-labs/supaglue that referenced this issue May 16, 2023
@0x4248
fix: update package.json to patch 9.8 CVSS Critical vulnerability (#841)

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
ab6ceaa 
Fixes: 9.8 CVSS Critical vulnerability 

Bump vm2 version in package.json

Please see:
https://security.snyk.io/vuln/SNYK-JS-VM2-5422057
patriksimek/vm2#516

GHSA-xj72-wvfv-8985
https://github.com/patriksimek/vm2/releases/tag/3.9.16
@westonphillips westonphillips mentioned this issue Jun 27, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug confirmed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@leesh3288 @XmiliaH