CVE-2022-36067

Improper Control of Dynamically-Managed Code Resources in npm/vm2

Identifiers

CVE-2022-36067, GHSA-mrgp-mrhc-5jrq

Package Slug

npm/vm2

Vulnerability

Improper Control of Dynamically-Managed Code Resources

Description

vm2 is a sandbox that can run untrusted code with allow listed Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.

Affected Versions

All versions before 3.9.11

Solution

Upgrade to version 3.9.11 or above.

Last Modified

2022-09-12

source