Vulnerability Database
296,213
Total vulnerabilities in the database
Directus affected by VM2 sandbox escape vulnerability
Impact
In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code. Within Directus this applies to the "Run Script" operation in flows being able to escape the sandbox running code in the main nodejs context.
Patches
Patched in v10.6.0 by replacing vm2 with isolated-vm
Workarounds
None
References
https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5
| Software | From | Fixed in |
|---|---|---|
directus
|
- | 10.6.0 |