CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
54.6%
Versions of isolated-vm
before v4.0.0, and especially before v3.0.0, have API pitfalls which may make it easy for implementers to expose supposed secure isolates to the permissions of the main nodejs isolate.
Reference
objects allow access to the underlying reference’s full prototype chain. In an environment where the implementer has exposed a Reference
instance to an attacker they would be able to use it to acquire a Reference
to the nodejs context’s Function
object.
Similar application-specific attacks could be possible by modifying the local prototype of other API objects.
Access to NativeModule
objects could allow an attacker to load and run native code from anywhere on the filesystem. If combined with, for example, a file upload API this would allow for arbitrary code execution.
To address these issues the following changes were made in v4.0.0:
Reference
instances will no longer follow prototype chains by default, nor will they invoke accessors or proxies.isolated-vm
API prototypes are now immutable.NativeModule
constructor may only be invoked from a nodejs isolate.Vendor | Product | Version | CPE |
---|---|---|---|
isolated-vm_project | isolated-vm | * | cpe:2.3:a:isolated-vm_project:isolated-vm:*:*:*:*:*:node.js:*:* |
github.com/advisories/GHSA-mmhj-4w6j-76h7
github.com/laverdet/isolated-vm/blob/main/CHANGELOG.md#v400
github.com/laverdet/isolated-vm/commit/2646e6c1558bac66285daeab54c7d490ed332b15
github.com/laverdet/isolated-vm/commit/27151bfecc260e96714443613880e3b2e6596704
github.com/laverdet/isolated-vm/security/advisories/GHSA-mmhj-4w6j-76h7
nvd.nist.gov/vuln/detail/CVE-2021-21413
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
54.6%