Home > Vulnerability Database > CVE-2022-25893

Mend.io Vulnerability Database

CVE-2022-25893

Good to know:

Date: December 21, 2022

The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.

Language: JS

Severity Score

9.8

Related Resources (6)

Url: https://github.com/patriksimek/vm2

Url: https://github.com/patriksimek/vm2/issues/444

Url: https://github.com/patriksimek/vm2/pull/445

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-25893

Url: https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69

Url: https://www.mend.io/vulnerability-database/CVE-2022-25893

Severity Score

9.8

Weakness Type (CWE)

Code Injection

CWE-94

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version vm2 - 3.9.10

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2022-25893

Good to know:

Date: December 21, 2022

Language: JS

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?