CVE-2019-10761

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-10761

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10761.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-10761

Aliases

GHSA-wf5x-cr3r-xr77

Related

SNYK-JS-VM2-473188

Published

2022-07-13T09:15:08Z

Modified

2025-01-14T23:03:32Z

Severity

8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS Calculator

Summary

[none]

Details

This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script allowing it to spawn a child_process and execute arbitrary code.

References

Affected packages

Git / github.com/patriksimek/vm2

Affected ranges

Type: GIT
Repo: https://github.com/patriksimek/vm2
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4b22d704e4794af63a5a2d633385fd20948f6f90

Fixed

4b22d704e4794af63a5a2d633385fd20948f6f90