Critical Flaws in vm2 JavaScript Libraries Can Cause Remote Code Execution
A new round of patches has been made available for the vm2 JavaScript library to address two critical vulnerabilities that can be exploited to escape sandbox protection.
The two drawbacks- CVE-2023-29199 And CVE-2023-30547 – rated 9.8 out of 10 on the CVSS scoring system and has been addressed in versions 3.9.16 and 3.9.17 respectively.
Succeed exploitation from bugswhich allows an attacker to raise unclean host exceptions, can be armed to break out of the sandbox and run arbitrary code in the context of the host.
“Threat actors may bypass sandbox protection to gain remote code execution privileges on hosts running sandboxes,” the maintainer of the vm2 library said in a warning.
Credited with finding and reporting the vulnerabilities are security researchers SeungHyun Leewho have too released proof of concept (PoC) exploits for the two issues in question.
This disclosure comes a little over a week after vm2 fixed another sandbox escape flaw (CVE-2023-29017, CVSS score: 9.8) that could lead to arbitrary code execution on the underlying system.
It’s worth noting that researchers from Oxeye detailed a critical remote code execution vulnerability in vm2 late last year (CVE-2022-36067, CVSS score: 9.8) codenamed Sandbreak.
