You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
javascript express vm2 vulnerability scanner: here misses real vulnerable code.
The vulnerable file is here, and it is a part of completely reproducible docker image
vulnerable to CVE-2023-37466.
It seems that not all syntactic cases were handled.
Here is a minimal poc that demonstrates the cause:
$ diff original.js slightly_different_syntax.js
2c2
< const { VM } = require('vm2');
---
> const vm = require("vm2");
13c13
< new VM({ timeout: 40 * 1000, sandbox }).run(code);
---
> new vm.VM({ timeout: 40 * 1000, sandbox }).run(code);
when I run semgrep scan, only the original version is found, although
the slightly modified version is vulnerable too ...
$ semgrep --config=rules.yaml # <--- only 1 code finding ...
┌────────────────┐
│ 1 Code Finding │
└────────────────┘
original.js
❯❱ express-vm2-injection
Make sure that unverified user data can not reach `vm2`.
13┆ new VM({ timeout: 40 * 1000, sandbox }).run(code);
The text was updated successfully, but these errors were encountered:
javascript express vm2 vulnerability scanner: here misses real vulnerable code.
The vulnerable file is here, and it is a part of completely reproducible docker image
vulnerable to CVE-2023-37466.
It seems that not all syntactic cases were handled.
Here is a minimal poc that demonstrates the cause:
when I run semgrep scan, only the original version is found, although
the slightly modified version is vulnerable too ...
The text was updated successfully, but these errors were encountered: