vm2 before 3.6.11 vulnerable to sandbox escape

GHSA-wf5x-cr3r-xr77 · CVE-2019-10761

Published Jul 14, 2022 · Modified Mar 13, 2026

Description

This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script allowing it to spawn a child_process and execute arbitrary code.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-10761
WEB https://github.com/patriksimek/vm2/issues/197
WEB https://github.com/patriksimek/vm2/issues/197#issuecomment-480643832
WEB https://github.com/patriksimek/vm2/commit/4b22d704e4794af63a5a2d633385fd20948f6f90
WEB https://gist.github.com/JLLeitschuh/609bb2efaff22ed84fe182cf574c023a
PACKAGE https://github.com/patriksimek/vm2
WEB https://snyk.io/vuln/SNYK-JS-VM2-473188

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes