Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0yampxLXg1NDgtcmhwds4AAvIq

isolated-vm has vulnerable CachedDataOptions in API

Impact

If the untrusted v8 cached data is passed to the API through CachedDataOptions, the attackers can bypass the sandbox and run arbitrary code in the nodejs process. Version 4.3.7 changes the documentation to warn users that they should not accept cachedData payloads from a user.

Permalink: https://github.com/advisories/GHSA-2jjq-x548-rhpv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yampxLXg1NDgtcmhwds4AAvIq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: over 1 year ago


CVSS Score: 9.7
CVSS vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Percentage: 0.00262
EPSS Percentile: 0.65098

Identifiers: GHSA-2jjq-x548-rhpv, CVE-2022-39266
References: Repository: https://github.com/laverdet/isolated-vm
Blast Radius: 22.2

Affected Packages

npm:isolated-vm
Dependent packages: 76
Dependent repositories: 194
Downloads: 769,715 last month
Affected Version Ranges: <= 4.3.6
Fixed in: 4.3.7
All affected versions: 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.7.11, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.1, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 4.0.0, 4.1.0, 4.1.1, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6
All unaffected versions: 4.3.7, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.6.0, 4.7.2, 5.0.0, 5.0.1, 5.0.2, 5.0.3