CVE-2022-39266

CRITICAL

isolated-vm <4.3.6 - RCE

Title source: llm

Description

isolated-vm is a library for nodejs which gives the user access to v8's Isolate interface. In versions 4.3.6 and prior, if the untrusted v8 cached data is passed to the API through CachedDataOptions, attackers can bypass the sandbox and run arbitrary code in the nodejs process. Version 4.3.7 changes the documentation to warn users that they should not accept `cachedData` payloads from a user.

References (4)

[Third Party Advisory] https://github.com/laverdet/isolated-vm/security/advisories/GHSA-2jjq-x548-rhpv

[Patch] https://github.com/laverdet/isolated-vm/commit/218e87a6d4e8cb818bea76d1ab30cd0be51920e8

[Patch] https://github.com/laverdet/isolated-vm/commits/v4.3.7

View Patch ZIP pw:eip

[Issue Tracking] https://github.com/laverdet/isolated-vm/issues/379

Scores

CVSS v3 9.6

EPSS 0.0026

EPSS Percentile 48.9%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Classification

CWE

CWE-20 CWE-693

Status published

Affected Products (2)

isolated-vm_project/isolated-vm < 4.3.6

npm/isolated-vm < 4.3.7npm

Timeline

Published Sep 29, 2022

Tracked Since Feb 18, 2026