GHSA-2jjq-x548-rhpv

Source

https://github.com/advisories/GHSA-2jjq-x548-rhpv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-2jjq-x548-rhpv/GHSA-2jjq-x548-rhpv.json

Aliases

CVE-2022-39266

Published

2022-09-30T22:59:03Z

Modified

2023-11-08T04:10:17.188177Z

Details

Impact

If the untrusted v8 cached data is passed to the API through CachedDataOptions, the attackers can bypass the sandbox and run arbitrary code in the nodejs process. Version 4.3.7 changes the documentation to warn users that they should not accept cachedData payloads from a user.

References

https://github.com/laverdet/isolated-vm/security/advisories/GHSA-2jjq-x548-rhpv
https://nvd.nist.gov/vuln/detail/CVE-2022-39266
https://github.com/laverdet/isolated-vm/issues/379
https://github.com/laverdet/isolated-vm/commit/218e87a6d4e8cb818bea76d1ab30cd0be51920e8
https://github.com/laverdet/isolated-vm
https://github.com/laverdet/isolated-vm/commits/v4.3.7

Affected packages

npm / isolated-vm

Package

Name: isolated-vm

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

4.3.7

Database specific

{
    "last_known_affected_version_range": "<= 4.3.6"
}