XmiliaH

4 exploits Active since Oct 2021
CVE-2021-23449 WRITEUP CRITICAL WRITEUP
Vm2 < 3.9.4 - Prototype Pollution
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.
CVSS 9.8
CVE-2021-23555 WRITEUP CRITICAL WRITEUP
vm2 <3.9.6 - Code Injection
The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.
CVSS 9.8
CVE-2023-29199 WRITEUP CRITICAL WRITEUP
vm2 <3.9.15 - RCE
There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.16` of `vm2`.
CVSS 9.8
CVE-2023-32313 WRITEUP MEDIUM WRITEUP
Vm2 < 3.9.18 - Injection
vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. As a result a threat actor can edit options for the `console.log` command. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. Users unable to upgrade may make the `inspect` method readonly with `vm.readonly(inspect)` after creating a vm.
CVSS 5.3