vm2 Sandbox Escape vulnerability

[ajaykarthikr]

Npm is reporting vm2 vulnerability again. I have noticed the packages were updated recently but it seems the issue wasn't resolved. I looked at the vm2 package, the author suggests to use an alternative.

TL;DR The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.

Is it possible to fix this issue? This comes from degenerator dependency

Severity: critical
vm2 Sandbox Escape vulnerability - GHSA-cchq-frgv-rjh5

Reference: TooTallNate/proxy-agents#218

[webpro]

Thanks, @ajaykarthikr. The proxy-agent dependency is used in the GitHub plugin, and only when the github.proxy is set. Most people don't use this, but on the other hand it is vital to some (e.g. when behind firewalls etc).

Let's track the reference issue indeed. Other suggestions also welcome of course.

❯ npm why vm2
vm2@3.9.19
node_modules/vm2
  vm2@"^3.9.19" from degenerator@4.0.4
  node_modules/degenerator
    degenerator@"^4.0.4" from pac-resolver@6.0.2
    node_modules/pac-resolver
      pac-resolver@"^6.0.1" from pac-proxy-agent@6.0.4
      node_modules/pac-proxy-agent
        pac-proxy-agent@"^6.0.4" from proxy-agent@6.2.2
        node_modules/proxy-agent
          proxy-agent@"6.2.2" from the root project

[kamal-brill]

@webpro I understand, but as package it's throwing critical errors when we run npm audit. So we are eagerly waiting for this to get resolved.

[webpro]

FYI, I'm not a security expert, but if this explanation is correct it sounds like the leak can only be exploited when the url (github.proxy in release-it) points to a pac (proxy auto config) file. If someone has a better understanding of this I'm all ears.

Usually release-it is a devDependency, not meant to run in your production environment.

Security tooling is essential, keep assessing the actual risks for your own circumstances.

[ghiscoding]

FYI, I also came here because I got security messages from GitHub as well and I did notice it came from proxy-agent from a transitive dependency. I then search on proxy-agent and found that they indeed worked on addressing the issue via this PR - Use quickjs-emscripten instead of vm2 to execute PAC file code, the PR was merged yesterday and it looks like they also released it as proxy-agent release v6.3.0 has the fix. So @webpro you might be able to just update to the latest version of proxy-agent and that will hopefully resolve the issue!? Crossing finger 🤞🏻

If it doesn't then I know release-it is a dev deps, so it's not the end of the world, but it's nice to see no security issue showing in audit though :)

[webpro]

🚀 This issue has been resolved in v16.1.3. See Release 16.1.3 for release notes.

[webpro]

Thanks for your notification, @ghiscoding!