Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

upgrading to proxy-agent 6.3 to avoid vulnerabilities #458

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

DimejiFaluyi
Copy link

@DimejiFaluyi DimejiFaluyi commented Aug 23, 2023

CVE-2023-37903

I would like to update to proxy-agent 6.3 to avoid a vuln around older versions of proxy-agent that use vm2 which allows for Remote Code Execution.

Background info:
vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software

I've linked the proxy-agent changelog here.

@DimejiFaluyi
Copy link
Author

@JoshuaWalsh tagging just in case.

@DimejiFaluyi
Copy link
Author

tagging @jariz just in case as well

@mglombicki-square
Copy link

@JoshuaWalsh / @jariz is this a change you could review? Updating proxy-agent would help get rid of a vulnerability in the dependency chain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants