CVE-2021-21413

Name of the Vulnerable Software and Affected Versions isolated-vm versions prior to 4.0.0

Description The isolated-vm library for Node.js has API pitfalls that may expose supposed secure isolates to the permissions of the main Node.js isolate. Reference objects allow access to the underlying reference's full prototype chain, potentially enabling attackers to acquire a Reference to the Node.js context's Function object. Similar attacks could be possible by modifying the local prototype of other API objects. Access to NativeModule objects could allow an attacker to load and run native code from anywhere on the filesystem, potentially leading to arbitrary code execution if combined with a file upload API.

Recommendations For versions prior to 4.0.0, update to version 4.0.0 or later, which includes changes such as updated documentation, modified Reference instances to not follow prototype chains by default, immutable isolated-vm API prototypes, and restrictions on invoking the NativeModule constructor.