CVE-2021-21413

Name: CVE-2021-21413
Creator: NVD / NIST
Published: 2021-03-30T23:15:14.19+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.6/10EPSS 0.71%

Last modified Jun 17, 2026

CVE-2021-21413 is a critical-severity vulnerability rated 9.6/10 on the CVSS scale. isolated-vm is a library for nodejs which gives you access to v8's Isolate interface. Versions of isolated-vm before v4.0.0 have API pitfalls which may make it easy for implementers to expose supposed secure isolates to the permissions of the main nodejs isolate. EPSS estimates a 0.71% chance of exploitation in the next 30 days.

Description

isolated-vm is a library for nodejs which gives you access to v8's Isolate interface. Versions of isolated-vm before v4.0.0 have API pitfalls which may make it easy for implementers to expose supposed secure isolates to the permissions of the main nodejs isolate. Reference objects allow access to the underlying reference's full prototype chain. In an environment where the implementer has exposed a Reference instance to an attacker they would be able to use it to acquire a Reference to the nodejs context's Function object. Similar application-specific attacks could be possible by modifying the local prototype of other API objects. Access to NativeModule objects could allow an attacker to load and run native code from anywhere on the filesystem. If combined with, for example, a file upload API this would allow for arbitrary code execution. This is addressed in v4.0.0 through a series of related changes.

Metrics

CVSS 3.1

9.6/10

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Probability

0.71%

48.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-913

Affected Software

Vendor	Product	Versions
Isolated-Vm Project	Isolated-Vm	< 4.0.0

References

https://github.com/laverdet/isolated-vm/blob/main/CHANGELOG.md#v400Release Notes, Third Party Advisory
https://github.com/laverdet/isolated-vm/commit/2646e6c1558bac66285daeab54c7d490ed332b15Patch, Third Party Advisory
https://github.com/laverdet/isolated-vm/commit/27151bfecc260e96714443613880e3b2e6596704Patch, Third Party Advisory
https://github.com/laverdet/isolated-vm/security/advisories/GHSA-mmhj-4w6j-76h7Third Party Advisory
https://github.com/laverdet/isolated-vm/blob/main/CHANGELOG.md#v400Release Notes, Third Party Advisory
https://github.com/laverdet/isolated-vm/commit/2646e6c1558bac66285daeab54c7d490ed332b15Patch, Third Party Advisory
https://github.com/laverdet/isolated-vm/commit/27151bfecc260e96714443613880e3b2e6596704Patch, Third Party Advisory
https://github.com/laverdet/isolated-vm/security/advisories/GHSA-mmhj-4w6j-76h7Third Party Advisory

Timeline

Published: Mar 30, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-21413?

How severe is CVE-2021-21413?

CVE-2021-21413 has a CVSS score of 9.6/10 (CRITICAL severity). The EPSS model estimates a 0.71% probability of exploitation in the next 30 days.

How do I fix CVE-2021-21413?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-21413?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST