CVE-2021-23449
published 2021-10-18CVE-2021-23449: This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.
PriorityP359critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
3.48%
87.6th percentile
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vm2_project | vm2 | < 3.9.4 | 3.9.4 |
| vm2_project | vm2 | >= 0 < 3.9.4 | 3.9.4 |
| vm2_project | vm2 | >= unspecified < 3.9.4 | 3.9.4 |
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Prototype Pollution in vm2
ghsa·2021-10-19
CVE-2021-23449 [CRITICAL] CWE-1321 Prototype Pollution in vm2
Prototype Pollution in vm2
This affects the package vm2 before 3.9.4. Prototype Pollution attack vector can lead to sandbox escape and execution of arbitrary code on the host machine.
OSV
Prototype Pollution in vm2
osv·2021-10-19
CVE-2021-23449 [CRITICAL] Prototype Pollution in vm2
Prototype Pollution in vm2
This affects the package vm2 before 3.9.4. Prototype Pollution attack vector can lead to sandbox escape and execution of arbitrary code on the host machine.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/patriksimek/vm2/commit/b4f6e2bd2c4a1ef52fc4483d8e35f28bc4481886https://github.com/patriksimek/vm2/issues/363https://github.com/patriksimek/vm2/releases/tag/3.9.4https://security.netapp.com/advisory/ntap-20211029-0010/https://snyk.io/vuln/SNYK-JS-VM2-1585918https://github.com/patriksimek/vm2/commit/b4f6e2bd2c4a1ef52fc4483d8e35f28bc4481886https://github.com/patriksimek/vm2/issues/363https://github.com/patriksimek/vm2/releases/tag/3.9.4https://security.netapp.com/advisory/ntap-20211029-0010/https://snyk.io/vuln/SNYK-JS-VM2-1585918
2021-10-18
Published