CVE-2022-25893

Source
https://cve.org/CVERecord?id=CVE-2022-25893
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25893.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-25893
Aliases
Published
2022-12-21T05:15:11.220Z
Modified
2026-07-15T01:48:54.790314287Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P CVSS Calculator
Summary
Arbitrary Code Execution
Details

The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/25xxx/CVE-2022-25893.json",
    "cna_assigner": "snyk"
}
References

Affected packages

Git / github.com/patriksimek/vm2

Affected ranges

Type
GIT
Repo
https://github.com/patriksimek/vm2
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.9.10"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

3.*
3.9.3
3.9.4
3.9.5
3.9.6
3.9.7
3.9.8
3.9.9
v3.*
v3.9.0
v3.9.1
v3.9.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25893.json"