CVE-2022-39266 CRITICAL

CVE-2022-39266: isolated-vm has vulnerable CachedDataOptions in API

Vendor Laverdet
Product isolated-vm
Weakness CWE-693
Published September 29, 2022
Last update April 23, 2025

CVSS base score

9.7/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

isolated-vm is a library for nodejs which gives the user access to v8's Isolate interface. In versions 4.3.6 and prior, if the untrusted v8 cached data is passed to the API through CachedDataOptions, attackers can bypass the sandbox and run arbitrary code in the nodejs process. Version 4.3.7 changes the documentation to warn users that they should not accept `cachedData` payloads from a user.

Key dates

02Disclosure timeline

September 29, 2022 CVE published
April 23, 2025 Record updated