Description
If the untrusted v8 cached data is passed to the API through CachedDataOptions, the attackers can bypass the sandbox and run arbitrary code in the nodejs process. Version 4.3.7 changes the documentation to warn users that they should not accept cachedData payloads from a user.
Recommendation
Update the isolated-vm package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.3.6
- Patched version(s): 4.3.7
References
- GHSA-2jjq-x548-rhpv
- CVE-2022-39266
- CWE-20
- CWE-287
- CWE-693
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) (GHSA-x8rq-rc7x-5fg5) - CVE-2022-0086
- Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type - CVE-2022-35948
- Strapi mishandles hidden attributes within admin API responses - CVE-2022-31367
- Server-Side Request Forgery in @peertube/embed-api - CVE-2022-0508
- Tags:
- npm
- isolated-vm
Anything's wrong? Let us know Last updated on August 24, 2023