CVE-2022-39266
CRITICAL9.6EPSS 0.27%isolated-vm has vulnerable CachedDataOptions in API
Published: 9/30/2022Modified: 11/8/2023
Also known as:GHSA-2jjq-x548-rhpv
Description
### Impact If the untrusted v8 cached data is passed to the API through CachedDataOptions, the attackers can bypass the sandbox and run arbitrary code in the nodejs process. Version 4.3.7 changes the documentation to warn users that they should not accept `cachedData` payloads from a user.
Affected packages (1)
- npm/isolated-vmfrom 0, < 4.3.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.6 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-39266
- PATCHhttps://github.com/laverdet/isolated-vm
- WEBhttps://github.com/laverdet/isolated-vm/commit/218e87a6d4e8cb818bea76d1ab30cd0be51920e8
- WEBhttps://github.com/laverdet/isolated-vm/commits/v4.3.7
- WEBhttps://github.com/laverdet/isolated-vm/issues/379
- WEBhttps://github.com/laverdet/isolated-vm/security/advisories/GHSA-2jjq-x548-rhpv