CVE-2022-25893 Information

Description

The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.

Reference

https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69 https://github.com/patriksimek/vm2/pull/445 https://security.snyk.io/vuln/SNYK-JS-VM2-2990237 https://github.com/patriksimek/vm2/issues/444