helix-bot opened a new issue, #2474: URL: https://github.com/apache/helix/issues/2474
Issue: Npm library vm2 is vulnerable to sandbox escape resulting in remote code execution. Description: vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. In helix-front, vm2 is a child dependency of dependency proxy-agent. Impact: A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. Recommendation: 1) Please upgrade to vm2 version 3.9.15 References [GHSA-7jxr-cg7f-gpgv](https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv) https://nvd.nist.gov/vuln/detail/CVE-2023-29017 [patriksimek/vm2#515](https://github.com/patriksimek/vm2/issues/515) [patriksimek/vm2@d534e57](https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50) https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
