CVE-2019-10761

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.6.11

Description The issue allows an attacker to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script, allowing it to spawn a child process and execute arbitrary code.

Recommendations For versions prior to 3.6.11, update to version 3.6.11 or later to resolve the issue. As a temporary workaround, consider restricting the use of infinite recursion in scripts to minimize the risk of exploitation.