Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VM2 Critical security issue and have been discontinued #30283

Closed
tobiasimbus opened this issue Sep 5, 2023 · 1 comment
Closed

VM2 Critical security issue and have been discontinued #30283

tobiasimbus opened this issue Sep 5, 2023 · 1 comment

Comments

@tobiasimbus
Copy link

Since middle July there is a critical issue in sandbox vm2 in NodeJs
GHSA-cchq-frgv-rjh5
The Developer set the Project to discontinued and recommend migrating to an other librabry
https://github.com/patriksimek/vm2

Description:

Use in Rocketchat:
apps/meteor/app/integrations/server/api/api.js

import { VM, VMScript } from 'vm2';

Are there any plans to replace this library?
@pierre-lehnen-rc
Copy link
Contributor

Related to vm2 being used by integrations (the file you linked):

Check #30053 and #30229

vm2 is still available to be used until the next major version of rocket.chat as the issue can only be abused by someone with admin access, but you can already disable it completely with envvars.

Our apps-engine also depends on vm2 and we have separate work happening there to replace it completely as well as temporary solutions available to block it from being used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tobiasimbus @pierre-lehnen-rc