@ionic/cli critical vulnerabiliy with vm2 #4921

anthony-bernardo · 2022-10-09T10:37:30Z

It's seems that there is a vulnerability within @ionic/cli

vm2  <3.9.11
Severity: critical
vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host - https://github.com/advisories/GHSA-mrgp-mrhc-5jrq

└─┬ @ionic/cli@6.20.3
  └─┬ superagent-proxy@3.0.0
    └─┬ proxy-agent@5.0.0
      └─┬ pac-proxy-agent@5.0.0
        └─┬ pac-resolver@5.0.0
          └─┬ degenerator@3.0.2
            └── vm2@3.9.9

The text was updated successfully, but these errors were encountered:

jcesarmobile · 2023-01-12T18:03:17Z

Please, only report vulnerabilities of direct dependencies.

This is no longer an issue, has been fixed automatically since none of the packages is using a package-lock.json file, so it picks latest versions available.

jskrepnek · 2023-08-31T19:56:12Z

If you're not using the proxy features of the CLI, just override the dep:

  "overrides": {
    "proxy-agent": "6.3.0"
  }

I've not observed any downsides so far.

ionitron-bot bot added the triage label Oct 9, 2022

jcesarmobile closed this as not planned Won't fix, can't repro, duplicate, stale Jan 12, 2023

szaboopeeter mentioned this issue Oct 1, 2023

Use proxy-agent instead of superagent-proxy #5042

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

@ionic/cli critical vulnerabiliy with vm2 #4921

@ionic/cli critical vulnerabiliy with vm2 #4921

anthony-bernardo commented Oct 9, 2022

jcesarmobile commented Jan 12, 2023

jskrepnek commented Aug 31, 2023

@ionic/cli critical vulnerabiliy with vm2 #4921

@ionic/cli critical vulnerabiliy with vm2 #4921

Comments

anthony-bernardo commented Oct 9, 2022

jcesarmobile commented Jan 12, 2023

jskrepnek commented Aug 31, 2023