CVE Vulnerability

CVE-2019-10761

This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script allowing it to spawn a child_process and execute arbitrary code.

8.3 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References
Link Resource
https://github.com/patriksimek/vm2/commit/4b22d704e4794af63a5a2d633385fd20948f6f90 Patch Third Party Advisory
https://snyk.io/vuln/SNYK-JS-VM2-473188 Third Party Advisory
https://github.com/patriksimek/vm2/issues/197 Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*
Information

Published : 2022-07-13 09:15

Updated : 2022-07-21 10:38

NVD link : CVE-2019-10761

Mitre link : CVE-2019-10761

Products Affected
No products.
CWE
CWE-674

Uncontrolled Recursion