Critical severityNVD Advisory· Published Sep 29, 2022· Updated Apr 23, 2025
isolated-vm has vulnerable CachedDataOptions in API
CVE-2022-39266
Description
isolated-vm is a library for nodejs which gives the user access to v8's Isolate interface. In versions 4.3.6 and prior, if the untrusted v8 cached data is passed to the API through CachedDataOptions, attackers can bypass the sandbox and run arbitrary code in the nodejs process. Version 4.3.7 changes the documentation to warn users that they should not accept cachedData payloads from a user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
isolated-vmnpm | < 4.3.7 | 4.3.7 |
Affected products
2- Range: <= 4.3.6
Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-2jjq-x548-rhpvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-39266ghsaADVISORY
- github.com/laverdet/isolated-vm/commit/218e87a6d4e8cb818bea76d1ab30cd0be51920e8ghsax_refsource_MISCWEB
- github.com/laverdet/isolated-vm/commits/v4.3.7ghsax_refsource_MISCWEB
- github.com/laverdet/isolated-vm/issues/379ghsax_refsource_MISCWEB
- github.com/laverdet/isolated-vm/security/advisories/GHSA-2jjq-x548-rhpvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.