GHSA-V27G-JCQJ-V8RW vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak
Summary vm2's CallSite wrapper class intended as a safe wrapper for V8's native CallSite blocks getThis and getFunction to prevent host object leakage, but allows getFileName to return unsanitized host absolute paths. Any sandboxed code can extract the full directory structure, library paths, and...