You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Affected versions of this package are vulnerable to Remote Code Execution (RCE) when untrusted v8 cached data is passed to the API through CachedDataOptions, by allowing attackers to bypass the sandbox and run arbitrary code in the nodejs process.
Remediation
There is no fixed version for isolated-vm.
The text was updated successfully, but these errors were encountered:
I actually tried to ignore this in Snyk but it seemed to have popped up anyways. It's actually documented in the readme to be careful how you use the SharedCache as of course you can communicate between isolates, but we don't use it in that way so it's kind of a non-issue. I wonder if we can try and get that CVE closed at least. Looking at the one in GitHub it's actually got a 'fix' version but it's not documented in snyk
Closing - reaching out to Snyk to see if we can get the same affected versions as the github cve GHSA-2jjq-x548-rhpv as it's not a vulnerability it's documented as don't do this.
Affecting Packages/Plugins
Overview
isolated-vm is an Access to multiple isolates
Affected versions of this package are vulnerable to Remote Code Execution (RCE) when untrusted v8 cached data is passed to the API through
CachedDataOptions
, by allowing attackers to bypass the sandbox and run arbitrary code in the nodejs process.Remediation
There is no fixed version for
isolated-vm
.The text was updated successfully, but these errors were encountered: