Description
If the untrusted v8 cached data is passed to the API through CachedDataOptions, the attackers can bypass the sandbox and run arbitrary code in the nodejs process. Version 4.3.7 changes the documentation to warn users that they should not accept cachedData payloads from a user.
Recommendation
Update the isolated-vm package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.3.6
- Patched version(s): 4.3.7
References
- GHSA-2jjq-x548-rhpv
- CVE-2022-39266
- CWE-20
- CWE-287
- CWE-693
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- steal vulnerable to Regular Expression Denial of Service via source and sourceWithComments - CVE-2022-37262
- Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks - CVE-2022-41879
- JOSE vulnerable to resource exhaustion via specifically crafted JWE - CVE-2022-36083
- JOSE vulnerable to resource exhaustion via specifically crafted JWE (GHSA-jv3g-j58f-9mq9) - CVE-2022-36083
- Tags:
- npm
- isolated-vm
Anything's wrong? Let us know Last updated on August 24, 2023