Vulnerability Description
The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vm2 Project | Vm2 | < 3.9.10 |
Related Weaknesses (CWE)
References
- https://github.com/patriksimek/vm2/issues/444ExploitIssue TrackingThird Party Advisory
- https://github.com/patriksimek/vm2/pull/445PatchThird Party Advisory
- https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675PatchThird Party Advisory
- https://security.snyk.io/vuln/SNYK-JS-VM2-2990237ExploitPatchThird Party Advisory
- https://github.com/patriksimek/vm2/issues/444ExploitIssue TrackingThird Party Advisory
- https://github.com/patriksimek/vm2/pull/445PatchThird Party Advisory
- https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675PatchThird Party Advisory
- https://security.snyk.io/vuln/SNYK-JS-VM2-2990237ExploitPatchThird Party Advisory
FAQ
What is CVE-2022-25893?
CVE-2022-25893 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a h...
How severe is CVE-2022-25893?
CVE-2022-25893 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-25893?
Check the references section above for vendor advisories and patch information. Affected products include: Vm2 Project Vm2.