CVE-2022-36067

Description

### Impact A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. ### Patches This vulnerability was patched in the release of version `3.9.11` of `vm2` ### Workarounds None. ### References Github Issue - https://github.com/patriksimek/vm2/issues/467 The file that was patched - https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71 The commit with the patch - https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164 ### For more information If you have any questions or comments about this advisory: * Open an issue in [VM2](https://github.com/patriksimek/vm2)

How to fix CVE-2022-36067

To remediate CVE-2022-36067, upgrade the affected package to a fixed version below.

• —upgrade to 3.9.11 or later

Is CVE-2022-36067 being exploited?

Likely — EPSS is 84.5%, placing CVE-2022-36067 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

• from 0, < 3.9.11

CVSS scores

References (8)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-36067
• PATCHgithub.com/patriksimek/vm2
• WEBgithub.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71
• WEBgithub.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164