Security: Transitive remote code execution vulnerabiility through proxy-agent -> ...  -> vm2 (CVE-2023-37903)

https://www.cve.org/CVERecord?id=CVE-2023-37903

The vm2 library is vulnerable to a remote code execution attack, and the library is discontinued and no further updates are expected there to fix this.

The dependency chain for this is:

serverless-cloudfront-invalidate@1.12.2 › proxy-agent@5.0.0 › pac-proxy-agent@5.0.0 › pac-resolver@5.0.1 › degenerator@3.0.4 › vm2@3.9.19 

The fix for serverless-cloudfront-invalidate would be to upgrade to proxy-agent 6.3.0 or newer. Proxy-agent 6.3.0 transitions away from vm2 to quickjs-emscripten.

https://github.com/TooTallNate/proxy-agents/releases/tag/proxy-agent%406.3.0

https://github.com/TooTallNate/proxy-agents/releases/tag/pac-proxy-agent%407.0.0

There is a fix waiting in PR #43 already.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security: Transitive remote code execution vulnerabiility through proxy-agent -> ... -> vm2 (CVE-2023-37903) #45

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Security: Transitive remote code execution vulnerabiility through proxy-agent -> ... -> vm2 (CVE-2023-37903) #45

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions