Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vm2 critical vulnerability RCE the library will be discontinued (pm2@5.3.0) #5639

Open
boxexchanger opened this issue Jul 14, 2023 · 6 comments

Comments

@boxexchanger
Copy link

Overview

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) such that handler sanitization can be bypassed, allowing attackers to escape the sandbox.

Introduced

pm2@5.3.0 › @pm2/agent@2.0.1 › proxy-agent@5.0.0 › pac-proxy-agent@5.0.0 › pac-resolver@5.0.1 › degenerator@3.0.4 › vm2@3.9.19

How to fix?

There is no fixed version for vm2.

Note:

According to the maintainer, the security issue cannot be properly addressed and the library will be discontinued.

References

GitHub Issue
SNYK-JS-VM2-5772825

@egaudry
Copy link

egaudry commented Jul 14, 2023

TooTallNate/proxy-agents#218

@mterrel
Copy link

mterrel commented Jul 18, 2023

The proxy-agent dependency just released a new version 6.3.0 that no longer depends on vm2: https://github.com/TooTallNate/proxy-agents/releases

@gabrielenosso
Copy link

vm2 critical security issue - same as here: #5643
Need this fixed ASAP for CI/CD Pipeline which recognizes this as a Critical risk

@cklat
Copy link

cklat commented Jul 24, 2023

The proxy-agent dependency just released a new version 6.3.0 that no longer depends on vm2: https://github.com/TooTallNate/proxy-agents/releases

Is there a way to update a project that uses vm2 to install the newer version of the dependent packages instead of the broken ones for the time vm2 itself doesn't update it?

@j1mmie
Copy link

j1mmie commented Jan 23, 2024

This critical vulnerability has existed for 9 months. Any intention to address this?

@Chiroyce1
Copy link

This critical vulnerability has existed for 9 months. Any intention to address this?

What? So pm2 still hasn't addressed this yet? I wanted to start using it but first ran into #5642 and now this as well?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants