First published: Wed Dec 21 2022(Updated: )
The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.
Credit: report@snyk.io
Affected Software | Affected Version | How to fix |
---|---|---|
Vm2 Project | <3.9.10 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-25893 has a severity rating of high due to its potential for arbitrary code execution.
To mitigate CVE-2022-25893, upgrade the vm2 package to version 3.9.10 or later.
CVE-2022-25893 is caused by the use of prototype lookup for the WeakMap.prototype.set method.
An attacker could achieve arbitrary code execution, leading to access to host objects and sandbox compromise.
All versions of the vm2 package prior to 3.9.10 are affected by CVE-2022-25893.