sec: critical vulnerability in transitive dep vm2 (via superagent-proxy) #380
Assignees
Labels
status: oncall
Flagged for awareness from Honeycomb Telemetry Oncall
type: security
Security issues/fixes.
Comments
|
We're keeping an eye on upstream for a fix for the moment. In the meantime, here's some information about Honeycomb's use of vm2:
What's This Mean For A Libhoney User?(according to our current understanding, confirmed upstream)
|
pkanal
added
the
status: oncall
robbkidd
changed the title
|
proxy-agent release 6.3.0 contains a fix in f1f3220d1. superagent-proxy's dependency on proxy-agent is currently |
3 tasks
robbkidd
added a commit
that referenced
this issue
Aug 16, 2023
## Which problem is this PR solving? - Resolves #380 ## Short description of the changes This is the equivalent behavior of the previous agent configuration. If a proxy URL is provided in libhoney config, a single ProxyAgent will be created with that proxy URL set for all connections. No nuanced lookup of proxy config from the environment based on target URL protocol. [proxy-agent is a hefty import](https://bundlephobia.com/package/[email protected]), but we were importing an early edition of it ([v5.0.0](https://bundlephobia.com/package/[email protected])) already via superagent-proxy. --------- Co-authored-by: JamieDanielson <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Versions
Description
In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code. The vm2 project alerts to the existence of critical security issues and claims to have been discontinued, therefore recommending replacing vm2 with isolated-vm.
The text was updated successfully, but these errors were encountered: