{"id":"CVE-2021-21413","details":"isolated-vm is a library for nodejs which gives you access to v8's Isolate interface. Versions of isolated-vm before v4.0.0 have API pitfalls which may make it easy for implementers to expose supposed secure isolates to the permissions of the main nodejs isolate. Reference objects allow access to the underlying reference's full prototype chain. In an environment where the implementer has exposed a Reference instance to an attacker they would be able to use it to acquire a Reference to the nodejs context's Function object. Similar application-specific attacks could be possible by modifying the local prototype of other API objects. Access to NativeModule objects could allow an attacker to load and run native code from anywhere on the filesystem. If combined with, for example, a file upload API this would allow for arbitrary code execution. This is addressed in v4.0.0 through a series of related changes.","aliases":["GHSA-mmhj-4w6j-76h7"],"modified":"2026-07-09T14:06:16.104446Z","published":"2021-03-30T23:15:14.190Z","references":[{"type":"ADVISORY","url":"https://github.com/laverdet/isolated-vm/blob/main/CHANGELOG.md#v400"},{"type":"ADVISORY","url":"https://github.com/laverdet/isolated-vm/security/advisories/GHSA-mmhj-4w6j-76h7"},{"type":"FIX","url":"https://github.com/laverdet/isolated-vm/commit/2646e6c1558bac66285daeab54c7d490ed332b15"},{"type":"FIX","url":"https://github.com/laverdet/isolated-vm/commit/27151bfecc260e96714443613880e3b2e6596704"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/laverdet/isolated-vm","events":[{"introduced":"0"},{"fixed":"27cb89d3c3c4ef433af22ac8efa38a26f1caabda"},{"fixed":"2646e6c1558bac66285daeab54c7d490ed332b15"},{"fixed":"27151bfecc260e96714443613880e3b2e6596704"}],"database_specific":{"cpe":"cpe:2.3:a:isolated-vm_project:isolated-vm:*:*:*:*:*:node.js:*:*","extracted_events":[{"introduced":"0"},{"fixed":"4.0.0"}],"source":["CPE_RANGE","REFERENCES"]}}],"versions":["v2.1.0","v3.3.10","v3.3.9","v3.3.8","v3.3.7","v3.3.6","v3.3.5","v3.3.4","v3.3.3","v3.3.2","v3.3.1","v3.3.0","v3.2.0","v3.1.5","v3.1.4","v3.1.3","v3.1.2","v3.1.1","v3.1.0","v3.0.0","v2.0.3","v2.0.2","v2.0.1","v1.7.10","v2.0.0","v1.7.9","v1.7.8","v1.7.7","v1.7.6","v1.7.5","v1.7.4","v1.7.3","v1.7.2","v1.7.1","v1.7.0","v1.6.1","v1.6.0","v1.5.2","v1.5.1","v1.5.0","v1.4.2","v1.4.1","v1.4.0","v1.3.1","v1.3.0","v1.2.0","v1.1.0","v1.0.2","v1.0.1","v1.0.0","v0.1.6","v0.1.5","v0.1.4","v0.1.3","v0.1.2","v0.1.1"],"database_specific":{"vanir_signatures":[{"deprecated":false,"digest":{"line_hashes":["248989448136741073006489225094144144254","6521994778744781941593864184156533987","67967807354868240581189215432441869126","91749419716926172042961827765205772296","248616252821881707077871817509988648569","163460050397349600737783709849551590961","255656805517743133186981276338869541071","124037691073486765795232172374629258242","208179395732506804254779019222105600653","224578130718379762163461863140338878842","41270046493278781558920236518802750526"],"threshold":0.9},"id":"CVE-2021-21413-19a8d7d3","signature_type":"Line","signature_version":"v1","source":"https://github.com/laverdet/isolated-vm/commit/2646e6c1558bac66285daeab54c7d490ed332b15","target":{"file":"src/module/reference_handle.h"}},{"target":{"file":"src/isolate/strings.h"},"deprecated":false,"digest":{"line_hashes":["93466081134106285056960782041521530312","310359691527930475157222954403615051934","134061221462301400580464510349487542223","157894988266578522887475642058351290426","97746545905080014224813560367024713114","100712168214738723627962550171306967890","113222501754119897008838956477104664435","9486461428630668921741619193633147928"],"threshold":0.9},"id":"CVE-2021-21413-39019ea6","signature_type":"Line","signature_version":"v1","source":"https://github.com/laverdet/isolated-vm/commit/2646e6c1558bac66285daeab54c7d490ed332b15"},{"signature_version":"v1","source":"https://github.com/laverdet/isolated-vm/commit/27151bfecc260e96714443613880e3b2e6596704","target":{"file":"src/module/native_module_handle.cc"},"deprecated":false,"digest":{"line_hashes":["264111373127997488962194624610456868363","163635222442449765054749460105449635334","307114431416889100749952891824004896126","192536577687231782145732123296177427963"],"threshold":0.9},"id":"CVE-2021-21413-51779125","signature_type":"Line"},{"deprecated":false,"digest":{"line_hashes":["288353043424917502046704572755545511560","266656707994571858744508392672164520122","328540505277112191648959279610819210398","1548133400452503366286547026139122356","16841531028079865592843917724912213450","329391175791773419397667240558557897717","68343616178656963505159668930011450624","133053393228615423754297080058054089054","155316581931815319021782308758006050019","38262212143608370649143148676965977140","11272954762120397447664571427069716929","308411827986792172694108455683649587027","275766227458054237771966395183030283312","223171264598406098282663183160435495037","15742821970566604481586813994685571399","242880398868009557636132572505178572942","76496783157875818458846857296846316641","189249815277659168893717210019003075627","154814155439080681350398153763529001912","265480881752755739331304339478084351336","263736785944097571938761105132829697043","168065854449663876626811017644493797927","69374502182892356946294348971943271662","39303828121878132277617173658957158828","137072795047912360642845613598152267717","292705597629373685475692010850356923747","139502573524383623426785260832437133000","106426659614704410656737140932696967096","59318515393426494772440150778906867463","5779011155535496942966893557061554721","70455358934139000317331253596919056403","186130266279583849260348748780751679594","170385480938394374081631715314718856605","288686291543827957686091033802250070261","319648846547284200238676068717786642517","261227500106994704646686019343412324364","177486460789848539560826165636631464021","328288099310947053755468995729055532932","240522512309630831697827857464120036961","272299219399112013663431210214904634689","292902103820254573391739568249992853100","336603769371450367887854514631384192134","175864253064682979058658359168421245033","42511915605228637949590554109876768541","177327824965146973350926769290966170063","125550129773803562893506489664838370716","22662825526327529973343900367601079401","205480789735769244526103115956089652560","307946342539755205339960650091275813853","305023268603406044512870196496743283903","308728046261368894623898612193662889283","308212158320544030637968218978391963671","193268547490437254494246793822593743209","307614413835396333813011841207428826242","294901952867553633827694300810882433382","318592930598122977178468622593786943087","16426819454172586150767313335164108896","9024348086555931758590254201998858885","320352257253544610370504783683352960584","308556346681486465658977157700084961784","8506800160146534541423669662999867261","22866039221180267143919339823628676998","51589620743621381543568319432307955567","334162665872958272630051995056860357139","209318371826619860072432059050349941269","213328376905411619165521648697848104644","151995584552233236658888031080826485330","23060822377416584205219205115621750677","69374502182892356946294348971943271662","39303828121878132277617173658957158828","137072795047912360642845613598152267717","292705597629373685475692010850356923747","1439640470806271321986159512522993347","157833028036153939470088738453307049953","55762169377030006605922740899070042409","288679400394255998472285747486189521040","63848432609467076818565627071071996182","336686398110632730209183631790224877574","121156800254483733399312187277937151639","224503661304018667948753004546511381381","307946342539755205339960650091275813853","305023268603406044512870196496743283903","9578401398548472730328002443490703713","120501347603734293261865233280791297414","138687281829349872342740899767311688684","276853389937055576161354201054347127565","319630679363660039588208554453493076911","16270812380194535721494995776082618489","117975850764117785381551414558109070977","134785853732752573269552731565898997054","303824957509251554329021777147764066951","39174230411438904635610838666620177863","223975270580105059660301770504729218788","250775899549155822093911100709808759055","306555349002167209120754519658721104758","213328376905411619165521648697848104644","151995584552233236658888031080826485330","23060822377416584205219205115621750677","69374502182892356946294348971943271662","39303828121878132277617173658957158828","137072795047912360642845613598152267717","292705597629373685475692010850356923747","139502573524383623426785260832437133000","106426659614704410656737140932696967096","114932208268771166981890763346909999851","287640739857119228275829093118318638857","328094360225452912870798390388361429079","253540288030678219248777363548899684742","133366167937793474507756657805137431401","265008395387712599601146109458386310504","300066997985991901028658152179796134882","241639788337948524241305560532860875618","304827476558428418751539888421965135625","307346322697281711802555202928624346967","252703158844751043351724598205449321300","304966266660247400942557715733846278467","94867133615926164591829099175667618267","250037863036628731820087718215570230322","69698478328908301482764898274587968045","72738757722493783586582416734663575299"],"threshold":0.9},"id":"CVE-2021-21413-bc8b0e0c","signature_type":"Line","signature_version":"v1","source":"https://github.com/laverdet/isolated-vm/commit/2646e6c1558bac66285daeab54c7d490ed332b15","target":{"file":"src/module/reference_handle.cc"}},{"signature_version":"v1","source":"https://github.com/laverdet/isolated-vm/commit/27151bfecc260e96714443613880e3b2e6596704","target":{"file":"src/module/native_module_handle.cc","function":"NativeModule::NativeModule"},"deprecated":false,"digest":{"function_hash":"169529429938894485876176998035187510809","length":373},"id":"CVE-2021-21413-bd0124fb","signature_type":"Function"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21413.json","vanir_signatures_modified":"2026-07-09T14:06:16Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}]}