Abdullah Alhamdan

**Name of the Vulnerable Software and Affected Versions** querymen (affected versions not specified) **Description** The issue arises from the `handler(type, name, fn)` function, where the parameters can be controlled by users without proper sanitization, leading to Prototype Pollution. This is a result of an incomplete fix of a previous issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** jailed versions (affected versions not specified) **Description** The issue concerns a Sandbox Bypass that can be exploited via an exported `alert()` method. This method can access the main application, posing a risk. The exported methods are stored in the `application.remote` object. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** notevil versions all argencoders-notevil versions all **Description** The issue is related to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. This vulnerability derives from an incomplete fix. The package notevil and its variant argencoders-notevil have been affected, with the latter being deprecated. **Recommendations** For notevil all versions, consider restricting access to the main context to prevent prototype pollution. For argencoders-notevil all versions, as the package is deprecated, it is recommended to avoid using it and consider alternative solutions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** vm2 versions prior to 3.9.6 **Description** The issue allows for Sandbox Bypass via direct access to host error objects generated by node internals during generation of stacktraces. This can lead to execution of arbitrary code on the host machine. **Recommendations** For versions prior to 3.9.6, update to version 3.9.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the `vm2` package until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** putil-merge versions prior to 3.8.0 **Description** The issue arises from the `merge()` function not checking the values passed into its argument, allowing an attacker to supply a malicious value by adjusting it to include the `constructor` property. This vulnerability is a result of an incomplete fix. **Recommendations** For versions prior to 3.8.0, update to version 3.8.0 or later to resolve the issue. As a temporary workaround, consider disabling the `merge()` function until a patch is available. Restrict access to the `merge()` function to minimize the risk of exploitation. Avoid using the `constructor` property in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** realms-shim versions (affected versions not specified) **Description** The issue is related to a Sandbox Bypass via a Prototype Pollution attack vector. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** realms-shim (affected versions not specified) **Description** The issue is related to a Sandbox Bypass via a Prototype Pollution attack vector. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** vm2 versions prior to 3.9.4 **Description** The issue is related to a Prototype Pollution attack vector, which can lead to sandbox escape and execution of arbitrary code on the host machine. This allows for the execution of arbitrary code on the host machine, posing a significant security risk. **Recommendations** For versions prior to 3.9.4, update to version 3.9.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the vm2 package until a patch is applied.