Misuse of `Reference` and other transferable APIs may lead to access to nodejs isolate
- Severity:
- High
Description
Versions of isolated-vm before v4.0.0, and especially before v3.0.0, have API pitfalls which may make it easy for implementers to expose supposed secure isolates to the permissions of the main nodejs isolate.
Reference objects allow access to the underlying reference’s full prototype chain.
Recommendation
Update the isolated-vm package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.0.0
- Patched version(s): 4.0.0
References
Related Issues
- Any logged in user could edit any other logged in user. - CVE-2021-29452
- Passing in a non-string 'html' argument can lead to unsanitized output - CVE-2021-32696
- NodeJS Driver for Snowflake has race condition when checking access to Easy Logging configuration file - CVE-2025-46328
- webpack-dev-server users' source code may be stolen when they access a malicious web site - CVE-2025-30359
- Tags:
- npm
- isolated-vm
Anything's wrong? Let us know Last updated on February 01, 2023