Vulnerability Details : CVE-2022-25893
Potential exploit
The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.
Products affected by CVE-2022-25893
- cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-25893
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 29 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-25893
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
Snyk |
CWE ids for CVE-2022-25893
-
The product does not properly protect an assumed-immutable element from being modified by an attacker.Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
References for CVE-2022-25893
-
https://security.snyk.io/vuln/SNYK-JS-VM2-2990237
Arbitrary Code Execution in vm2 | CVE-2022-25893 | SnykExploit;Patch;Third Party Advisory
-
https://github.com/patriksimek/vm2/issues/444
Security Issue · Issue #444 · patriksimek/vm2 · GitHubExploit;Issue Tracking;Third Party Advisory
-
https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69
Security fix for issue 444. by XmiliaH · Pull Request #445 · patriksimek/vm2 · GitHubPatch;Third Party Advisory
-
https://github.com/patriksimek/vm2/pull/445
Security fix for issue 444. by XmiliaH · Pull Request #445 · patriksimek/vm2 · GitHubPatch;Third Party Advisory
Jump to