The developers behind the vm2 JavaScript sandbox module have addressed a critical vulnerability, tracked as CVE-2023-29017 (CVSS score 9.8), that could be exploited to execute arbitrary shellcode.
vm2 is a sandbox that can run untrusted code in an isolated context on Node.js servers, it has approximately four million weekly downloads and its library is part of 722 packages.
The flaw was reported by the security researcher Seongil Wi from South Korean security firm KAIST WSP Lab.
The vulnerability affects all versions, including and prior to 3.9.14, it was addressed with the release of version 3.9.15.
“vm2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors.” reads the advisory published by vm2. “A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.”
Wi also published two proof-of-concept (PoC) exploits for this vulnerability that can be used to escape the sandbox to create an empty file named “flag” on the host.
In October 2022, VM2 maintainers addressed another critical sandbox escape vulnerability tracked as CVE-2022-36067.
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
Please nominate Security Affairs as your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, sandbox)
Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…
The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…
This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…
The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…
A new variant of TheMoon malware infected thousands of outdated small office and home office…
This website uses cookies.