vm2@3.6.10 vulnerabilities

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!

Direct Vulnerabilities

Known vulnerabilities in the vm2 package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Remote Code Execution (RCE)

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to insufficient checks which allow an attacker to escape the sandbox.

Note:

According to the maintainer, the security issue cannot be properly addressed and the library will be discontinued.

How to fix Remote Code Execution (RCE)?

There is no fixed version for vm2.

*
  • C
Remote Code Execution (RCE)

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) such that the Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox.

Note:

According to the maintainer, the security issue cannot be properly addressed and the library will be discontinued.

How to fix Remote Code Execution (RCE)?

There is no fixed version for vm2.

*
  • C
Sandbox Bypass

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Sandbox Bypass by abusing an unexpected creation of a host object based on the maliciously crafted specification of Proxy. Exploiting this vulnerability allows an attacker to gain remote code execution rights on the host running the sandbox via the Function constructor.

How to fix Sandbox Bypass?

Upgrade vm2 to version 3.9.18 or higher.

<3.9.18
  • M
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the inspect method of vm.js, which allows write permissions. Exploiting this vulnerability allows an attacker to edit options for the console.log command.

How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')?

Upgrade vm2 to version 3.9.18 or higher.

<3.9.18
  • C
Improper Handling of Exceptional Conditions

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions due to allowing attackers to raise an unsanitized host exception inside handleException() which can be used to escape the sandbox and run arbitrary code in host context.

How to fix Improper Handling of Exceptional Conditions?

Upgrade vm2 to version 3.9.17 or higher.

<3.9.17
  • C
Sandbox Escape

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Sandbox Escape. There exists a vulnerability in source code transformer (exception sanitization logic), allowing attackers to bypass handleException() and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context.

How to fix Sandbox Escape?

Upgrade vm2 to version 3.9.16 or higher.

<3.9.16
  • C
Sandbox Escape

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Sandbox Escape due to improper handling of host objects passed to Error.prepareStackTrace in case of unhandled async errors.

How to fix Sandbox Escape?

Upgrade vm2 to version 3.9.15 or higher.

<3.9.15
  • C
Arbitrary Code Execution

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.

How to fix Arbitrary Code Execution?

Upgrade vm2 to version 3.9.10 or higher.

<3.9.10
  • C
Sandbox Bypass

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Sandbox Bypass via indirect access to host.Object during preparation of stacktraces, which can lead to execution of arbitrary code on the host machine.

How to fix Sandbox Bypass?

Upgrade vm2 to version 3.9.11 or higher.

<3.9.11
  • C
Sandbox Bypass

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.

How to fix Sandbox Bypass?

Upgrade vm2 to version 3.9.6 or higher.

<3.9.6
  • C
Sandbox Bypass

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.

PoC

const {VM} = require("vm2");
let vmInstance = new VM();

let code = `    
    res = eval('import(\\'./foo.js\\');')    
    res.__proto__.__proto__.polluted = res.__proto__.__proto__.toString.constructor("return this")().process.mainModule.require("child_process").execSync("touch HACKED").toString();
`;
vmInstance.run(code);
console.log(polluted);

How to fix Sandbox Bypass?

Upgrade vm2 to version 3.9.4 or higher.

<3.9.4
  • H
Sandbox Bypass

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Sandbox Bypass. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script allowing it to spawn a child_process and execute arbitrary code.

How to fix Sandbox Bypass?

Upgrade vm2 to version 3.6.11 or higher.

<3.6.11