CVE-2019-10761
moderate-risk
Published 2022-07-13
This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script allowing it to spawn a child_process and execute arbitrary code.
Do I need to act?
-
0.82% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.3/10
High
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (6)
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-VM2-473188
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-VM2-473188
37
/ 100
moderate-risk
Severity
29/34 · Critical
Exploitability
3/34 · Minimal
Exposure
5/34 · Minimal