CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
69.5%
If the untrusted v8 cached data is passed to the API through CachedDataOptions, the attackers can bypass the sandbox and run arbitrary code in the nodejs process. Version 4.3.7 changes the documentation to warn users that they should not accept cachedData
payloads from a user.
github.com/laverdet/isolated-vm
github.com/laverdet/isolated-vm/commit/218e87a6d4e8cb818bea76d1ab30cd0be51920e8
github.com/laverdet/isolated-vm/commits/v4.3.7
github.com/laverdet/isolated-vm/issues/379
github.com/laverdet/isolated-vm/security/advisories/GHSA-2jjq-x548-rhpv
nvd.nist.gov/vuln/detail/CVE-2022-39266