Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Sandbox Bypass
Vulnerability Description
This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script allowing it to spawn a child_process and execute arbitrary code.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Vulnerability Type
N/A
Vulnerability Title
vm2 安全漏洞
Vulnerability Description
vm2是捷克Patrik Simek个人开发者的一个 Node.js 的高级虚拟机/沙盒。以使用列入白名单的 Node 内置模块运行不受信任的代码。 vm2 3.6.11之前版本存在安全漏洞,该漏洞源于通过无限递归达到堆栈调用限制,有可能从主机而不是"沙盒"上下文触发RangeError异常,然后使用返回的对象来引用运行脚本主机代码的mainModule属性,从而允许它生成一个child_process并执行任意代码。
CVSS Information
N/A
Vulnerability Type
N/A