Critical security vulnerability in vm2

Question

Critical security vulnerability in vm2

Havunen opened this issue 3 years ago · 5 comments

Sandbox bypass in vm2 - GHSA-6pw2-5hjv-9pf7
fix available via npm audit fix

node_modules/vm2

1 critical severity vulnerability

npm list vm2 shows this repository as part of the dependency chain


`-- ibm-openapi-validator@0.53.1
  `-- @stoplight/spectral-cli@6.2.0
    `-- proxy-agent@5.0.0
      `-- pac-proxy-agent@5.0.0
        `-- pac-resolver@5.0.0
          `-- degenerator@3.0.1
            `-- vm2@3.9.5

Connects to: TooTallNate/node-pac-proxy-agent#46

Answer 1 · 2022-02-23T15:32:29.000Z

Same here, happily looking for this to be fixed.

Answer 2 · 2022-09-23T09:28:24.000Z

Looks like it is resolved, as well as CVE-2022-36067

└─┬ proxy-agent@5.0.0
  └─┬ pac-proxy-agent@5.0.0
    └─┬ pac-resolver@5.0.1
      └─┬ degenerator@3.0.2
        └── vm2@3.9.11

Answer 3 · 2022-10-08T16:21:59.000Z

@alasdairhurst Not sure how you are getting that vm2 version but it does not appear to be directly from proxy-agent@5.0.0
as it does not appear to have been updated in over a year and I am still getting this problem

EDIT: ah for some reason I had to delete my package-lock.json and now its picking up vm2@3.9.11

Answer 4 · 2023-05-01T13:21:33.000Z

3.9.11 is also now a vulnerable version, should now be upgraded to 3.9.17

Answer 5 · 2023-05-05T01:03:49.000Z

This code in this repository has been moved to the proxy-agents monorepo, so I am closing this pull request. If you feel that this issue still exists as of the latest release, feel free to open a new issue over there.