CVE-2022-25893 — vm2 vulnerable to Arbitrary Code Execution

Description

The package vm2 before 3.9.10 is vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.

How to fix CVE-2022-25893

To remediate CVE-2022-25893, upgrade the affected package to a fixed version below.

npm/vm2—upgrade to 3.9.10 or later

Is CVE-2022-25893 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.9.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-25893
PATCHgithub.com/patriksimek/vm2
WEBgithub.com/patriksimek/vm2/issues/444
WEBgithub.com/patriksimek/vm2/pull/445
WEB