The developers behind the vm2 JavaScript sandbox module have addressed a critical vulnerability, tracked as CVE-2023-29017 (CVSS score 9.8), that could be exploited to execute arbitrary shellcode.
vm2 is a sandbox that can run untrusted code in an isolated context on Node.js servers, it has approximately four million weekly downloads and its library is part of 722 packages.
The flaw was reported by the security researcher Seongil Wi from South Korean security firm KAIST WSP Lab.
The vulnerability affects all versions, including and prior to 3.9.14, it was addressed with the release of version 3.9.15.
“vm2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors.” reads the advisory published by vm2. “A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.”
exploits for this vulnerability that can be used to escape the sandbox to create an empty file named “flag” on the host.
Wi also published two proof-of-concept (PoC)In October 2022, VM2 maintainers addressed another critical sandbox escape vulnerability tracked as CVE-2022-36067.
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
Please nominate Security Affairs as your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, sandbox)