-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vm2 critical vulnerability RCE the library will be discontinued (pm2@5.3.0) #5639
Comments
The |
vm2 critical security issue - same as here: #5643 |
Is there a way to update a project that uses vm2 to install the newer version of the dependent packages instead of the broken ones for the time vm2 itself doesn't update it? |
This critical vulnerability has existed for 9 months. Any intention to address this? |
What? So pm2 still hasn't addressed this yet? I wanted to start using it but first ran into #5642 and now this as well? |
Overview
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.
Affected versions of this package are vulnerable to Remote Code Execution (RCE) such that handler sanitization can be bypassed, allowing attackers to escape the sandbox.
Introduced
pm2@5.3.0 › @pm2/agent@2.0.1 › proxy-agent@5.0.0 › pac-proxy-agent@5.0.0 › pac-resolver@5.0.1 › degenerator@3.0.4 › vm2@3.9.19
How to fix?
There is no fixed version for vm2.
Note:
According to the maintainer, the security issue cannot be properly addressed and the library will be discontinued.
References
GitHub Issue
SNYK-JS-VM2-5772825
The text was updated successfully, but these errors were encountered: