Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWMzaHEtN214aC1tcXhm
Sandbox Breakout / Arbitrary Code Execution in lighter-vm
All versions of lighter-vm
are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through this.constructor.constructor
. This may allow attackers to execute arbitrary code in the system. Evaluating the payload this.constructor.constructor('return process.env')()
prints the contents of process.env
.
Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
Permalink: https://github.com/advisories/GHSA-c3hq-7mxh-mqxfJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWMzaHEtN214aC1tcXhm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-c3hq-7mxh-mqxf
References: Blast Radius: 0.0
Affected Packages
npm:lighter-vm
Dependent packages: 1Dependent repositories: 1
Downloads: 18 last month
Affected Version Ranges: >= 0.0.0
No known fixed version
All affected versions: 1.0.0