Vulnerabilities > CVE-2022-25893

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

critical

NVD

Published: 2022-12-21

Updated: 2023-01-03

Summary

The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.

References

https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69
https://github.com/patriksimek/vm2/pull/445
https://security.snyk.io/vuln/SNYK-JS-VM2-2990237
https://github.com/patriksimek/vm2/issues/444

Vulnerabilities > CVE-2022-25893 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2022-25893"}]}

Summary

References

Vulnerabilities > CVE-2022-25893