CVE-2022-25893

CRITICAL Year: 2022
CVSS v3 Score
9.8
Critical
Weakness Type
CWE-471
View all →

Vulnerability Description

The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.

Related Vulnerabilities

CVE-2020-8147

CRITICAL
CVSS:9.8(Critical)

Flaw in input validation in npm package utils-extend version 1.0.8 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using ...

CWE-4712020

CVE-2020-8158

CRITICAL
CVSS:9.8(Critical)

Prototype pollution vulnerability in the TypeORM package < 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks.

CWE-4712020

CVE-2018-3719

HIGH
CVSS:8.8(High)

mixin-deep node module before 1.3.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing...

CWE-4712018

CVE-2018-3720

HIGH
CVSS:8.8(High)

assign-deep node module before 0.4.7 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causin...

CWE-4712018

CVE-2018-3722

HIGH
CVSS:8.8(High)

merge-deep node module before 3.0.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing...

CWE-4712018

CVE-2018-3723

HIGH
CVSS:8.8(High)

defaults-deep node module before 0.2.4 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, caus...

CWE-4712018