Security: Transitive remote code execution vulnerabiility through proxy-agent -> ... -> vm2 (CVE-2023-37903) #45
Comments
|
https://github.com/thwalker6/serverless-cloudfront-invalidate if you want to use this fork this will resolve it. I put it as serverless-cf-invalidate-proxy because I'm not to creative with names. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://www.cve.org/CVERecord?id=CVE-2023-37903
The vm2 library is vulnerable to a remote code execution attack, and the library is discontinued and no further updates are expected there to fix this.
The dependency chain for this is:
[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected]
The fix for serverless-cloudfront-invalidate would be to upgrade to proxy-agent 6.3.0 or newer. Proxy-agent 6.3.0 transitions away from vm2 to quickjs-emscripten.
https://github.com/TooTallNate/proxy-agents/releases/tag/proxy-agent%406.3.0
https://github.com/TooTallNate/proxy-agents/releases/tag/pac-proxy-agent%407.0.0
There is a fix waiting in PR #43 already.
The text was updated successfully, but these errors were encountered: