vm2 critical vulnerability RCE the library will be discontinued ([email protected])

[boxexchanger]

Overview

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) such that handler sanitization can be bypassed, allowing attackers to escape the sandbox.

Introduced

[email protected] › @pm2/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected]

How to fix?

There is no fixed version for vm2.

Note:

According to the maintainer, the security issue cannot be properly addressed and the library will be discontinued.

References

GitHub Issue SNYK-JS-VM2-5772825

[egaudry]

https://github.com/TooTallNate/proxy-agents/issues/218

[mterrel]

The proxy-agent dependency just released a new version 6.3.0 that no longer depends on vm2: https://github.com/TooTallNate/proxy-agents/releases

[gabrielenosso]

vm2 critical security issue - same as here: https://github.com/Unitech/pm2/issues/5643 Need this fixed ASAP for CI/CD Pipeline which recognizes this as a Critical risk

[cklat]

The proxy-agent dependency just released a new version 6.3.0 that no longer depends on vm2: https://github.com/TooTallNate/proxy-agents/releases

Is there a way to update a project that uses vm2 to install the newer version of the dependent packages instead of the broken ones for the time vm2 itself doesn't update it?

[j1mmie]

This critical vulnerability has existed for 9 months. Any intention to address this?

[Chiroyce1]

This critical vulnerability has existed for 9 months. Any intention to address this?

What? So pm2 still hasn't addressed this yet? I wanted to start using it but first ran into #5642 and now this as well?