CVE-2022-39266

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-39266

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39266.json

Aliases

GHSA-2jjq-x548-rhpv

Published

2022-09-29T18:15:10Z

Modified

2023-11-29T09:49:41.418175Z

Details

isolated-vm is a library for nodejs which gives the user access to v8's Isolate interface. In versions 4.3.6 and prior, if the untrusted v8 cached data is passed to the API through CachedDataOptions, attackers can bypass the sandbox and run arbitrary code in the nodejs process. Version 4.3.7 changes the documentation to warn users that they should not accept cachedData payloads from a user.

References

Affected packages

Git / github.com/laverdet/isolated-vm

Affected ranges

Type: GIT
Repo: https://github.com/laverdet/isolated-vm
Events: Introduced

0The exact introduced commit is unknown

Fixed

218e87a6d4e8cb818bea76d1ab30cd0be51920e8

Affected versions

v0.*

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.1.6

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.1.0

v1.2.0

v1.3.0

v1.3.1

v1.4.0

v1.4.1

v1.4.2

v1.5.0

v1.5.1

v1.5.2

v1.6.0

v1.6.1

v1.7.0

v1.7.1

v1.7.10

v1.7.2

v1.7.3

v1.7.4

v1.7.5

v1.7.6

v1.7.7

v1.7.8

v1.7.9

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v2.1.0

v3.*

v3.0.0

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v3.1.4

v3.1.5

v3.2.0

v3.3.0

v3.3.1

v3.3.10

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.3.8

v3.3.9

v4.*

v4.0.0

v4.1.0

v4.1.1

v4.2.0

v4.3.0

v4.3.1

v4.3.2

v4.3.3

v4.3.4

v4.3.5

v4.3.6