Snyk vulnerability [SNYK-JS-ISOLATEDVM-3037320] #18315
Labels
Comments
github-actions
bot
added
help wanted
|
@benjdlambert FYI |
|
I actually tried to ignore this in Snyk but it seemed to have popped up anyways. It's actually documented in the readme to be careful how you use the SharedCache as of course you can communicate between isolates, but we don't use it in that way so it's kind of a non-issue. I wonder if we can try and get that CVE closed at least. Looking at the one in GitHub it's actually got a 'fix' version but it's not documented in snyk |
|
Closing - reaching out to Snyk to see if we can get the same affected versions as the github cve GHSA-2jjq-x548-rhpv as it's not a vulnerability it's documented as don't do this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Affecting Packages/Plugins
Overview
isolated-vm is an Access to multiple isolates
Affected versions of this package are vulnerable to Remote Code Execution (RCE) when untrusted v8 cached data is passed to the API through
CachedDataOptions, by allowing attackers to bypass the sandbox and run arbitrary code in the nodejs process.Remediation
There is no fixed version for
isolated-vm.The text was updated successfully, but these errors were encountered: