CVE-2022-39266

Name of the Vulnerable Software and Affected Versions isolated-vm versions 4.3.6 and prior

Description The issue allows attackers to bypass the sandbox and run arbitrary code in the nodejs process if untrusted v8 cached data is passed to the API through CachedDataOptions. This can be exploited by passing malicious cachedData payloads. Version 4.3.7 updates the documentation to warn users against accepting cachedData payloads from untrusted sources.

Recommendations For versions 4.3.6 and prior, as a temporary workaround, consider restricting the use of CachedDataOptions to prevent the acceptance of untrusted cachedData payloads until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.