CVE-2021-23449 — Prototype Pollution in vm2

Description

This affects the package vm2 before 3.9.4. Prototype Pollution attack vector can lead to sandbox escape and execution of arbitrary code on the host machine.

How to fix CVE-2021-23449

To remediate CVE-2021-23449, upgrade the affected package to a fixed version below.

npm/vm2—upgrade to 3.9.4 or later

Is CVE-2021-23449 being exploited?

Low — EPSS is 2.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.9.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-23449
PATCHgithub.com/patriksimek/vm2
WEBgithub.com/patriksimek/vm2/commit/b4f6e2bd2c4a1ef52fc4483d8e35f28bc4481886
WEBgithub.com/patriksimek/vm2/issues/363
WEB