High severityNVD Advisory· Published Jul 13, 2022· Updated Sep 16, 2024
Sandbox Bypass
CVE-2019-10761
Description
This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script allowing it to spawn a child_process and execute arbitrary code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vm2npm | < 3.6.11 | 3.6.11 |
Affected products
2- Range: unspecified
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-wf5x-cr3r-xr77ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10761ghsaADVISORY
- gist.github.com/JLLeitschuh/609bb2efaff22ed84fe182cf574c023aghsaWEB
- github.com/patriksimek/vm2/commit/4b22d704e4794af63a5a2d633385fd20948f6f90ghsax_refsource_MISCWEB
- github.com/patriksimek/vm2/issues/197ghsax_refsource_MISCWEB
- github.com/patriksimek/vm2/issues/197ghsaWEB
- snyk.io/vuln/SNYK-JS-VM2-473188ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.