CVE-2021-21413
Misuse of `Reference` and other transferable APIs may lead to access to nodejs isolate
Description
Versions of `isolated-vm` before v4.0.0, and especially before v3.0.0, have API pitfalls which may make it easy for implementers to expose supposed secure isolates to the permissions of the main nodejs isolate. `Reference` objects allow access to the underlying reference's full prototype chain. In an environment where the implementer has exposed a `Reference` instance to an attacker they would be able to use it to acquire a `Reference` to the nodejs context's `Function` object. Similar application-specific attacks could be possible by modifying the local prototype of other API objects. Access to `NativeModule` objects could allow an attacker to load and run native code from anywhere on the filesystem. If combined with, for example, a file upload API this would allow for arbitrary code execution. To address these issues the following changes were made in v4.0.0: - Documentation was updated with more explicit guidelines on building secure applications. - `Reference` instances will no longer follow prototype chains by default, nor will they invoke accessors or proxies. - All `isolated-vm` API prototypes are now immutable. - `NativeModule` constructor may only be invoked from a nodejs isolate.
How to fix CVE-2021-21413
To remediate CVE-2021-21413, upgrade the affected package to a fixed version below.
- —upgrade to 4.0.0 or later
Is CVE-2021-21413 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 4.0.0