{
  "schema_version": "1.4.0",
  "id": "GHSA-mmhj-4w6j-76h7",
  "modified": "2021-03-30T22:27:45Z",
  "published": "2021-04-06T17:22:55Z",
  "aliases": [
    "CVE-2021-21413"
  ],
  "summary": "Misuse of `Reference` and other transferable APIs may lead to access to nodejs isolate",
  "details": "Versions of `isolated-vm` before v4.0.0, and especially before v3.0.0, have API pitfalls which may make it easy for implementers to expose supposed secure isolates to the permissions of the main nodejs isolate.\n\n`Reference` objects allow access to the underlying reference's full prototype chain. In an environment where the implementer has exposed a `Reference` instance to an attacker they would be able to use it to acquire a `Reference` to the nodejs context's `Function` object.\n\nSimilar application-specific attacks could be possible by modifying the local prototype of other API objects.\n\nAccess to `NativeModule` objects could allow an attacker to load and run native code from anywhere on the filesystem. If combined with, for example, a file upload API this would allow for arbitrary code execution.\n\nTo address these issues the following changes were made in v4.0.0:\n- Documentation was updated with more explicit guidelines on building secure applications.\n- `Reference` instances will no longer follow prototype chains by default, nor will they invoke accessors or proxies.\n- All `isolated-vm` API prototypes are now immutable.\n- `NativeModule` constructor may only be invoked from a nodejs isolate.",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "isolated-vm"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.0"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/laverdet/isolated-vm/security/advisories/GHSA-mmhj-4w6j-76h7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21413"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laverdet/isolated-vm/commit/2646e6c1558bac66285daeab54c7d490ed332b15"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laverdet/isolated-vm/commit/27151bfecc260e96714443613880e3b2e6596704"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laverdet/isolated-vm/blob/main/CHANGELOG.md#v400"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-30T22:27:45Z",
    "nvd_published_at": "2021-03-30T23:15:00Z"
  }
}