Description
If the untrusted v8 cached data is passed to the API through CachedDataOptions, the attackers can bypass the sandbox and run arbitrary code in the nodejs process. Version 4.3.7 changes the documentation to warn users that they should not accept cachedData payloads from a user.
Recommendation
Update the isolated-vm package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.3.6
- Patched version(s): 4.3.7
References
- GHSA-2jjq-x548-rhpv
- CVE-2022-39266
- CWE-20
- CWE-287
- CWE-693
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- materialize-css vulnerable to cross-site Scripting (XSS) due to improper escape of user input - CVE-2022-25349
- Grunt-karma vulnerable to prototype pollution - CVE-2022-37602
- copilot-api has Reliance on Reverse DNS Resolution for a Security-Critical Action - CVE-2026-6874
- Passport vulnerable to session regeneration when a users logs in or out - CVE-2022-25896
You might also like:
- Tags:
- npm
- isolated-vm
Anything's wrong? Let us know Last updated on August 24, 2023


