Misuse of `Reference` and other transferable APIs may lead to access to nodejs isolate
- Severity:
- High
Description
Versions of isolated-vm before v4.0.0, and especially before v3.0.0, have API pitfalls which may make it easy for implementers to expose supposed secure isolates to the permissions of the main nodejs isolate.
Reference objects allow access to the underlying reference’s full prototype chain.
Recommendation
Update the isolated-vm package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.0.0
- Patched version(s): 4.0.0
References
Related Issues
- Nuxt vulnerable to remote code execution via the browser when running the test locally - CVE-2024-34344
- isolated-vm has vulnerable CachedDataOptions in API - CVE-2022-39266
- Improper Verification of Cryptographic Signature in `node-forge` (GHSA-2r2c-g63r-vccr) - CVE-2022-24773
- Incorrect default cookie name and recommendation - Vulnerability
- Tags:
- npm
- isolated-vm
Anything's wrong? Let us know Last updated on February 01, 2023