Code Injection via Untrusted Input to vm2

Description

Untrusted user input reaching `vm2` can result in code injection. This occurs when user-controlled data is used to construct or influence code that is executed by the `vm2` module, potentially leading to the execution of malicious code.

Examples

Insecure Code

javascript

const vm = require('vm2'); vm.run(userInput);

Secure Code

javascript

const vm = require('vm2'); const safeInput = validateUserInput(userInput); vm.run(safeInput);

Remediation

Validate and sanitize all user input before passing it to `vm2`. Ensure that any code executed by `vm2` is thoroughly reviewed and does not directly incorporate user input.

Rule Details

Field	Value
ID	CODE-0380
Category	Injection
Severity	CRITICAL
CWE	CWE-94
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	EASY
Tags	code injection, user input validation
OWASP	A1:2017-Injection, A03:2021-Injection

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Code Injection via Untrusted Input to vm2

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

Code Injection via Untrusted Input to vm2 ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

Code Injection via Untrusted Input to vm2

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details