Vulnerability in [email protected] CVE-2023-29017

[rickyrattlesnake]

What's going wrong?

• Synk caught a vulnerability in vm2 < 3.9.15 https://www.cve.org/CVERecord?id=CVE-2023-29017
• This packaged is used by [email protected] › @pm2/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected]

How could we reproduce this issue?

Supporting information

• Solution would be to update vm2 dependency to > 3.9.15. Fixed by [VM2 Sandbox Escape] Vulnerability in [email protected] patriksimek/vm2#515

$ pm2 report

[Shivdemo]

Hi PM2 Team,

This is regarding "CVE-2023-29017" vulnerability, can you advise the best approach:

1. When can we have a patch for "CVE-2023-29017" in PM2 ?
2. Can we directly upgrade the VM2 version, will it have an impact in the PM2 functioning ?
3. Can we remove this safely, if pm2 is not using this module, to be vulnerability free.

Please reply as soon as possible as the "vulnerability rating" is very high for this. That's why we need a urgent action on.

[Shivdemo]

Hi PM2 Team,

This is regarding "CVE-2023-29017" vulnerability, can you advise the best approach:

1. When can we have a patch for "CVE-2023-29017" in PM2 ?
2. Can we directly upgrade the VM2 version, will it have an impact in the PM2 functioning ?
3. Can we remove this safely, if pm2 is not using this module, to be vulnerability free.

Please reply as soon as possible as the "vulnerability rating" is very high for this. That's why we need a urgent action on.

Any update on this? This needs a fix urgently

[francescozanoni]

Hi, people.
Just my two cents: I've solved the issue by simply removing and re-adding pm2 package.
I could do this because I was aware of being already using the same version, which was in the past updated starting from ^5.1.2.
I suppose that removing and re-adding made Yarn search for the latest dependency versions, therefore vm2 constraint was changed from ^3.9.11 to ^3.9.17.
Hope this helps.