Update Node.js Package: vm2 to version 3.9.17 or later

[SurajBKamble]

Which node-red-contrib-modbus version are you using?

5.23.1

What happened?

Exposure of Sensitive Information, Manipulation of Data, Denial of Service (DoS)

1. vm2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. [CVE-2023-29017]

2. A vulnerability in source code transformer (exception sanitization logic) of vm2, allows attackers to bypass handleException() and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. [CVE-2023-29199]

3. vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. A vulnerability in exception sanitization of vm2 allows attackers to raise an unsanitized host exception inside handleException() which can be used to escape the sandbox and run arbitrary code in host context. [CVE-2023-30547]

4. In vm2, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.

5. In vm2, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code. [CVE-2023-37466]

Reference:

https://nvd.nist.gov/vuln/detail/CVE-2023-30547

https://nvd.nist.gov/vuln/detail/CVE-2023-29017

https://nvd.nist.gov/vuln/detail/CVE-2023-29199

Server

Modbus-Server Node

How can this be reproduced?

Its a vulnerability bug

What did you expect to happen?

No response

Other Information

No response