Description
vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. As a result a threat actor can edit options for the `console.log` command. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. Users unable to upgrade may make the `inspect` method readonly with `vm.readonly(inspect)` after creating a vm.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v
Patch x_refsource_misc
https://github.com/patriksimek/vm2/commit/5206ba25afd86ef547a2c9d48d46ca7a9e6ec238
Product x_refsource_misc
https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550
Release Notes x_refsource_misc
https://github.com/patriksimek/vm2/releases/tag/3.9.18
Scores
CVSS v3
5.3
EPSS
0.0057
EPSS Percentile
68.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-74
Status
published
Products (2)
npm/vm2
0 - 3.9.18npm
vm2_project/vm2
< 3.9.18
Published
May 15, 2023
Tracked Since
Feb 18, 2026