Description
If the untrusted v8 cached data is passed to the API through CachedDataOptions, the attackers can bypass the sandbox and run arbitrary code in the nodejs process. Version 4.3.7 changes the documentation to warn users that they should not accept cachedData payloads from a user.
Recommendation
Update the isolated-vm package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.3.6
- Patched version(s): 4.3.7
References
- GHSA-2jjq-x548-rhpv
- CVE-2022-39266
- CWE-20
- CWE-287
- CWE-693
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- steal vulnerable to Prototype Pollution - CVE-2022-37258
- Raneto vulnerable to Cross-site Scripting - CVE-2022-35144
- Passport vulnerable to session regeneration when a users logs in or out - CVE-2022-25896
- steal vulnerable to Regular Expression Denial of Service via input variable - CVE-2022-37260
You might also like:
- Tags:
- npm
- isolated-vm
Anything's wrong? Let us know Last updated on August 24, 2023