Wiz
Vulnerability DatabaseCVE-2022-25893

CVE-2022-25893
JavaScript vulnerability analysis and mitigation

Overview

The vulnerability CVE-2022-25893 affects the vm2 package versions before 3.9.10. This vulnerability was discovered in July 2022 and allows arbitrary code execution through the manipulation of WeakMap.prototype.set method (GitHub Issue, Snyk Report). The vm2 package is a sandbox designed to run untrusted code with whitelisted Node's built-in modules.

Technical details

The vulnerability stems from the improper usage of prototype lookup for the WeakMap.prototype.set method. An attacker can exploit this by manipulating the WeakMap prototype to gain access to host objects and compromise the sandbox. The vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical), with attack vector being Network, attack complexity Low, and requiring no privileges or user interaction (Snyk Report).

Impact

When successfully exploited, this vulnerability can lead to total loss of confidentiality, integrity, and availability of the affected system. The attacker can gain complete access to protected resources, modify files, and potentially execute arbitrary code on the host system (Snyk Report).

Mitigation and workarounds

The recommended mitigation is to upgrade the vm2 package to version 3.9.10 or higher. The vulnerability was fixed by avoiding prototype lookup and implementing proper security measures in the WeakMap.prototype.set method implementation (GitHub PR).

Additional resources

SourceThis report was generated using AI

Related JavaScript vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2026-23744CRITICAL9.8
  • JavaScriptJavaScript
  • @mcpjam/inspector
NoYesJan 16, 2026
CVE-2026-23735HIGH8.7
  • JavaScriptJavaScript
  • graphql-modules
NoYesJan 16, 2026
GHSA-gw32-9rmw-qwwwHIGH8.4
  • JavaScriptJavaScript
  • svelte
NoYesJan 16, 2026
CVE-2026-23745HIGH8.2
  • JavaScriptJavaScript
  • nodejs-full-i18n
NoYesJan 16, 2026
GHSA-38cw-85xc-xr9xMEDIUM6.8
  • JavaScriptJavaScript
  • @veramo/data-store
NoYesJan 16, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo