Description
If the untrusted v8 cached data is passed to the API through CachedDataOptions, the attackers can bypass the sandbox and run arbitrary code in the nodejs process. Version 4.3.7 changes the documentation to warn users that they should not accept cachedData payloads from a user.
Recommendation
Update the isolated-vm package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.3.6
- Patched version(s): 4.3.7
References
- GHSA-2jjq-x548-rhpv
- CVE-2022-39266
- CWE-20
- CWE-287
- CWE-693
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- Prototype Pollution in lodash (GHSA-jf85-cpcp-j695) - CVE-2019-10744
- jquery-validation vulnerable to Cross-site Scripting - CVE-2025-3573
- @mozilla/readability Denial of Service through Regex - CVE-2025-2792
- ejson shell parser in MongoDB Compass maybe bypassed - CVE-2024-6376
- Tags:
- npm
- isolated-vm
Anything's wrong? Let us know Last updated on August 24, 2023