CVE-2019-10761

Source
https://nvd.nist.gov/vuln/detail/CVE-2019-10761
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10761.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-10761
Aliases
Related
  • SNYK-JS-VM2-473188
Published
2022-07-13T09:15:08Z
Modified
2025-01-14T23:03:32Z
Severity
  • 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
Summary
[none]
Details

This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script allowing it to spawn a child_process and execute arbitrary code.

References

Affected packages

Git / github.com/patriksimek/vm2

Affected ranges

Type
GIT
Repo
https://github.com/patriksimek/vm2
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed