critical vm2 security issues

[vsanse]

What's going wrong?

GHSA-cchq-frgv-rjh5

Security issue found in vm2, allows remote code execution

How could we reproduce this issue?

POC not yet disclosed.

Supporting information

vm2 is already deprecated. it suggests switching to isolated-vm
https://github.com/patriksimek/vm2#%EF%B8%8F-project-discontinued-%EF%B8%8F

$ pm2 report

OUTPUT

--- PM2 report ----------------------------------------------------------------
Date                 : Tue Jul 18 2023 07:27:44 GMT+0000 (Coordinated Universal Time)
===============================================================================
--- Daemon -------------------------------------------------
pm2d version         : 5.3.0
node version         : 16.20.0
node path            : /home/user/.nvm/versions/node/v16.20.0/bin/pm2
argv                 : /home/ec2-user/.nvm/versions/node/v16.20.0/bin/node,/home/user/.nvm/versions/node/v16.20.0/lib/node_modules/pm2/lib/Daemon.js
argv0                : node
user                 : ec2-user
uid                  : 1000
gid                  : 1000
uptime               : 21212min
===============================================================================
--- CLI ----------------------------------------------------
local pm2            : 5.3.0
node version         : 16.20.0
node path            : /home/user/.nvm/versions/node/v16.20.0/bin/pm2
argv                 : /home/user/.nvm/versions/node/v16.20.0/bin/node,/home/user/.nvm/versions/node/v16.20.0/bin/pm2,report
argv0                : node
user                 : ec2-user
uid                  : 1000
gid                  : 1000
===============================================================================
--- System info --------------------------------------------
arch                 : x64
platform             : linux
type                 : Linux
cpus                 : Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz
cpus nb              : 2
freemem              : 2253070336
totalmem             : 4111364096
home                 : /home/user
===============================================================================

[gabrielenosso]

Up.
Need this fixed ASAP for CI/CD Pipeline which recognizes this as a Critical risk

[mterrel]

The proxy-agent dependency just released a new version 6.3.0 that no longer depends on vm2: https://github.com/TooTallNate/proxy-agents/releases

[boxexchanger]

Up. Need this fixed ASAP for CI/CD Pipeline which recognizes this as a Critical risk

+1
#5639

[eladkolet]

Up. Need this fixed ASAP for CI/CD Pipeline which recognizes this as a Critical risk

+1

+1

[ruslanrusu]

+1

[Braicce]

+1

[OIRNOIR]

+1

[frztmr]

+1

[lognaturel]

Thanks for maintaining pm2, @Unitech! Is there something I can do to help you with getting a new release out? Would a PR to bump proxy-agent be helpful? Any particular sanity checks with the new version that it might be helpful to do in preparation for a release?

[medbenmakhlouf]

+1

[cklat]

+1

@Unitech
Is there anything that you may communicate at the moment?
Any timeline for the fix? Are you aware of the problem and are working on a solution?

[OIRNOIR]

+1

@Unitech Is there anything that you may communicate at the moment? Any timeline for the fix? Are you aware of the problem and are working on a solution?

They are working on it.

[OIRNOIR]

+1

@Unitech Is there anything that you may communicate at the moment? Any timeline for the fix? Are you aware of the problem and are working on a solution?

An update was just released to @pm2/agent updating proxy-agent to version 6.3.0. Run npm update to ensure that you have the latest version. If your pm2 is installed globally, don't forget to also sudo npm update -g
Still awaiting a fix to the semver issue: keymetrics/pm2-io-agent#131

[orange1337]

+1

[jrwhite17]

+1

[denodaeus]

Snyk is still reporting this as a vulnerability when I do a package.json overrides to pm2/[email protected], any thoughts?

CVE-2023-37466
Introduced through: [email protected] › @pm2/[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected]
Fix: No remediation path available.

[Enrice]

yes. [email protected] depends on [email protected] depends on [email protected] with no dependency on vm2!

[jieLi086]

May I ask how the progress is ？

+1
@Unitech Is there anything that you may communicate at the moment? Any timeline for the fix? Are you aware of the problem and are working on a solution?

They are working on it.

[Enrice]

May I ask how the progress is ？

+1
@Unitech Is there anything that you may communicate at the moment? Any timeline for the fix? Are you aware of the problem and are working on a solution?

They are working on it.

I don't know what you mean.

• vm2 is no longer a dependency
• semver was updated to ~7.5.0, so current 7.5.4 with vulnerability fix can be used

[jieLi086]

Thank you for your answer. This has already solved my problem

[matthew-white]

Same here. For some reason, I thought the pm2 package had to change, and I was waiting for a pm2 release. It looks like just @pm2/agent, a subdependency of pm2, needs to be updated:

npm update @pm2/agent

[RobinTail]

Running yarn upgrade solved the issue for my project.

[OIRNOIR]

This is all fixed. Feel free to close this issue.

[OIRNOIR]

This is all fixed. Feel free to close this issue.

@vsanse

[tlebon]

for anyone using yarn:
add the following to your package.json and rerun yarn.
"resolutions": { "@pm2/agent": "2.0.3" },

confirm that vm2 is removed:
yarn why vm2 -R