First published: Fri Sep 15 2023(Updated: )
### Impact In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code. Within Directus this applies to the "Run Script" operation in flows being able to escape the sandbox running code in the main nodejs context. ### Patches Patched in v10.6.0 by replacing `vm2` with `isolated-vm` ### Workarounds None ### References https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5
|Affected Software||Affected Version||How to fix|
The impact is that in vm2 versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code in the main Node.js context in Directus.
Attackers can exploit GHSA-22rr-f3p8-5gf8 by leveraging the bypassed Promise handler sanitization in vm2 to escape the sandbox and execute arbitrary code.
In Directus, GHSA-22rr-f3p8-5gf8 specifically impacts the "Run Script" operation in flows, allowing the execution of code in the main Node.js context.
The severity of GHSA-22rr-f3p8-5gf8 is high with a CVSS score of 7.6.
To fix GHSA-22rr-f3p8-5gf8, update vm2 to version 3.9.20 or higher in Directus.