The flaw that affects all versions, including and prior to 3.9.14, is reported by researchers from South Korea based KAIST WSP Lab on April 6, 2023, pushing vm2 to release a fix with version 3.9.15 on Friday.
“Threat actors can bypass sandbox protection to gain remote code execution privileges on hosts running sandboxes,” vm2 disclosed in an advisory.
Vulnerabilities have been identified CVE-2023-29017 and is rated 9.8 on the CVSS rating system. The problem stems from the fact that it doesn’t properly handle errors that occur in asynchronous functions.
KAIST security researcher Seongil Wi has also been made available two different variants a proof-of-concept (PoC) exploit for CVE-2023-29017 that overcomes sandbox protection and allows the creation of an empty file named “flag” on the host.
The disclosure comes nearly six months after vm2 resolved another critical bug (CVE-2022-36067, CVSS score: 10) that could be weaponized to perform arbitrary operations on the underlying machine.