Researchers Find Critical Remote Code Execution Flaw in Sandbox vm2 Library
The vm2 JavaScript sandbox module maintainer has shipped a patch addressing a critical flaw that could be abused to escape security boundaries and execute arbitrary shell code.
The flaw that affects all versions, including and prior to 3.9.14, is reported by researchers from South Korea based KAIST WSP Lab on April 6, 2023, pushing vm2 to release a fix with version 3.9.15 on Friday.
“Threat actors can bypass sandbox protection to gain remote code execution privileges on hosts running sandboxes,” vm2 disclosed in an advisory.
Vulnerabilities have been identified CVE-2023-29017 and is rated 9.8 on the CVSS rating system. The problem stems from the fact that it doesn’t properly handle errors that occur in asynchronous functions.
vm2 is popular library which is used to run untrusted code in an isolated environment in Node.js. It has almost four million weekly downloads and is used in 721 packages.
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!
KAIST security researcher Seongil Wi has also been made available two different variants a proof-of-concept (PoC) exploit for CVE-2023-29017 that overcomes sandbox protection and allows the creation of an empty file named “flag” on the host.
The disclosure comes nearly six months after vm2 resolved another critical bug (CVE-2022-36067, CVSS score: 10) that could be weaponized to perform arbitrary operations on the underlying machine.
