Critical severityNVD Advisory· Published Dec 21, 2022· Updated Apr 15, 2025
Arbitrary Code Execution
CVE-2022-25893
Description
The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vm2npm | < 3.9.10 | 3.9.10 |
Affected products
2- Range: unspecified
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-4w2j-2rg4-5mjwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25893ghsaADVISORY
- github.com/patriksimek/vm2/issues/444ghsaWEB
- github.com/patriksimek/vm2/pull/445ghsaWEB
- github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69ghsaWEB
- security.snyk.io/vuln/SNYK-JS-VM2-2990237ghsaWEB
News mentions
0No linked articles in our index yet.