vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat Developer Hub 1.10 | RedHat | rhdh/rhdh-hub-rhel9:1783448184 | * |
| Red Hat Developer Hub 1.9 | RedHat | rhdh/rhdh-hub-rhel9:1782761244 | * |