CVE-2022-25893: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

December 21, 2022 (updated January 3, 2023)

The package vm2 before 3.9.10 is vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.

References

github.com/advisories/GHSA-4w2j-2rg4-5mjw
github.com/patriksimek/vm2/issues/444
github.com/patriksimek/vm2/pull/445
github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69
nvd.nist.gov/vuln/detail/CVE-2022-25893
security.snyk.io/vuln/SNYK-JS-VM2-2990237

Code Behaviors & Features

Detect and mitigate CVE-2022-25893 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →