This repository has been archived by the owner on Apr 13, 2023. It is now read-only.
chore(deps): update dependency vm2 to v3.9.11 [security] #203
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/npm-vm2-vulnerability
branch
from
02197f9
to
d23afdd
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.6.6->3.9.11GitHub Vulnerability Alerts
CVE-2021-23449
This affects the package vm2 before 3.9.4. Prototype Pollution attack vector can lead to sandbox escape and execution of arbitrary code on the host machine.
CVE-2021-23555
The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.
CVE-2019-10761
This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script allowing it to spawn a child_process and execute arbitrary code.
CVE-2022-36067
Impact
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
Patches
This vulnerability was patched in the release of version
3.9.11ofvm2Workarounds
None.
References
Github Issue - https://github.com/patriksimek/vm2/issues/467
The file that was patched - https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71
The commit with the patch - patriksimek/vm2@d9a7f3c#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164
For more information
If you have any questions or comments about this advisory:
CVE-2022-25893
The package vm2 before 3.9.10 is vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.
Release Notes
patriksimek/vm2
v3.9.11Compare Source
[new] Add option
require.strictto allow to load required modules in non strict mode.[fix] Security fix.
v3.9.10Compare Source
[new] Add uptime to process.
[fix] Security fix.
[fix] Fix inspection with showProxy.
v3.9.9Compare Source
[fix] Bump parser ECMA version to 2022.
v3.9.8Compare Source
[fix] Add function type check for arguments, caller, and callee property check (GeoffRen)
[fix] Fix find best extension handler
v3.9.7Compare Source
[fix] Allow relative require from base script
[fix] Fix issue with modules with exports clause in package JSON
[fix] Added missing whitelist check before custom require
[fix] Revert plain object toString behavior
[fix] Root path check improved
v3.9.6Compare Source
[fix] Security fixes (XmiliaH)
v3.9.5Compare Source
[new] Editor config (aubelsb2)
[fix] Fix for Promise.then breaking
[fix] Fix for missing properties on CallSite
v3.9.4Compare Source
[new] Added strict option
[fix] Security fixes (XmiliaH)
[fix] Fixed bound function causes TypeError (XmiliaH)
[fix] Allow extending of frozen objects
v3.9.3Compare Source
[fix] Security fixes
[fix] Fixed problems when Promise object is deleted (XmiliaH)
[fix] Fixed oversight that write ability can change on non configurable properties (XmiliaH)
[fix] Support shebang as node does (XmiliaH)
[fix] Property typos (Shigma)
v3.9.2Compare Source
[new] Added NodeVM options to pass argv & env to process object (XmiliaH)
[fix] Fixed breakouts in NodeVM (XmiliaH)
[fix] Made async check more robust (XmiliaH)
v3.9.1Compare Source
[new] Support conditional export resolution with custom resolver. (nick-klaviyo)
v3.9.0Compare Source
[new] Added vm.Script
lineOffsetandcolumnOffsetoptions (azu)[new] Allow to specify a compiler per VMScript (XmiliaH)
[new] Add option to disable async (XmiliaH)
[new] Added allot of jsdoc (XmiliaH)
[fix] Fix access to frozen or unconfigurable properties (XmiliaH)
[fix] Double wrap Objects to prevent breakout via inspect (XmiliaH)
[fix] Compile now compiles VM code (XmiliaH)
v3.8.4Compare Source
[fix] Do not allow precompiling VMScript (XmiliaH)
[fix] Security fixes (XmiliaH)
v3.8.3Compare Source
[fix] Security fixes
v3.8.2Compare Source
[fix] toString() on builtin objects
v3.8.1Compare Source
[fix] Module resolver fixes
[fix] require('events') works correctly in Node 12
[fix] SyntaxError not being instanceOf Error
v3.8.0Compare Source
[new] Allow prohibiting access to eval/wasm in sandbox context
[new] Allow transitive external dependencies in sandbox context (Idan Attias)
[new] Allow using wildcards in module-names passed using the external attribute (Harel Moshe)
[fix] Default to index.js when specified "main" does not exist (Harel Moshe)
[fix] Security fixes
v3.7.0Compare Source
[new] Add require.resolve (Idan Attias)
[new] Support multiple root paths (Idan Attias)
v3.6.11Compare Source
[fix] Contextification of EvalError and URIError
[fix] Security fixes
v3.6.10Compare Source
[fix] Add missing console.debug function in NodeVM
[fix] Security fixes
v3.6.9Compare Source
[fix] Security fixes
v3.6.8Compare Source
[fix] Security fixes
v3.6.7Compare Source
[fix] Security fixes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.