The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/25xxx/CVE-2022-25893.json",
"cna_assigner": "snyk"
}{
"cpe": "cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "3.9.10"
}
],
"source": [
"AFFECTED_FIELD",
"CPE_RANGE"
]
}