Home > Vulnerability Database > CVE-2022-39266

Mend.io Vulnerability Database

CVE-2022-39266

Date: September 29, 2022

isolated-vm is a library for nodejs which gives the user access to v8's Isolate interface. In versions 4.3.6 and prior, if the untrusted v8 cached data is passed to the API through CachedDataOptions, attackers can bypass the sandbox and run arbitrary code in the nodejs process. Version 4.3.7 changes the documentation to warn users that they should not accept `cachedData` payloads from a user.

Language: JS

Severity Score

9.6

Related Resources (7)

Url: https://github.com/laverdet/isolated-vm

Url: https://github.com/laverdet/isolated-vm/commits/v4.3.7

Url: https://github.com/laverdet/isolated-vm/commit/218e87a6d4e8cb818bea76d1ab30cd0be51920e8

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-39266

Url: https://github.com/laverdet/isolated-vm/issues/379

Url: https://github.com/laverdet/isolated-vm/security/advisories/GHSA-2jjq-x548-rhpv

Url: https://www.mend.io/vulnerability-database/CVE-2022-39266

Severity Score

9.6

Weakness Type (CWE)

Authentication Issues

CWE-287

Input Validation

CWE-20

Protection Mechanism Failure

CWE-693

CVSS v3.1

Base Score:	9.6
Attack Vector (AV):	ADJACENT_NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2022-39266

Date: September 29, 2022

Language: JS

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?