Researchers disclose critical sandbox escape bug in vm2 sandbox library

The development team behind the vm2 JavaScript sandbox library addressed a critical Remote Code Execution vulnerability.

The developers behind the vm2 JavaScript sandbox module have addressed a critical vulnerability, tracked as CVE-2023-29017 (CVSS score 9.8), that could be exploited to execute arbitrary shellcode.

vm2 is a sandbox that can run untrusted code in an isolated context on Node.js servers, it has approximately four million weekly downloads and its library is part of 722 packages.

The flaw was reported by the security researcher Seongil Wi from South Korean security firm KAIST WSP Lab.

The vulnerability affects all versions, including and prior to 3.9.14, it was addressed with the release of version 3.9.15.

“vm2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors.” reads the advisory published by vm2. “A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.”

Wi also published two proof-of-concept (PoC) exploits for this vulnerability that can be used to escape the sandbox to create an empty file named “flag” on the host.

In October 2022, VM2 maintainers addressed another critical sandbox escape vulnerability tracked as CVE-2022-36067.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, sandbox)