GHSA-g6w6-h933-4rc5: 
JavaScript vulnerability analysis and mitigation

The vulnerability GHSA-g6w6-h933-4rc5 affects Soketi versions below 1.6.0, exposing it to a Sandbox Escape vulnerability through the vm2 dependency. This critical severity vulnerability was published on August 3, 2023, and affects both npm package @soketi/soketi and Docker images. The vulnerability primarily impacts users who utilized Soketi with the cluster driver or through PM2 (GitHub Advisory).

The vulnerability has a CVSS score of 9.8 (Critical), with base metrics indicating network attack vector, low attack complexity, no privileges required, and no user interaction needed. The vulnerability scope is unchanged, but it has high impact on confidentiality, integrity, and availability. The vulnerability is tracked as CWE-94 (GitHub Advisory).

The vulnerability allows attackers to escape the sandbox environment and potentially execute arbitrary code. This affects anyone who might have used Soketi with the cluster driver or through PM2, potentially compromising the security of the affected systems (GitHub Advisory).

The vulnerability has been patched in Soketi version 1.6.0. Users are strongly advised to upgrade to this version as there are no alternative workarounds available. For Docker users, the patched versions are 1.6.0-16-distroless, 1.6.0-16-alpine, and 1.6.0-16-debian (GitHub Advisory, Soketi Release).

The vulnerability led to significant changes in the ecosystem, with the vm2 project being discontinued due to security issues that could not be properly addressed. The maintainers recommended switching to isolated-vm as an alternative (VM2 Issue).