Security News > 2022 > October > Critical vm2 sandbox escape flaw uncovered, patch ASAP! (CVE-2022-36067)
Called SandBreak, this new vulnerability requires R&D leaders, AppSec engineers, and security professionals to ensure they immediately patch the vm2 sandbox if they use it in their applications.
Vm2 is the most popular Javascript sandbox library, with around 17.5 million monthly downloads.
The Oxeye research team found a critical sandbox escape vulnerability that leads to remote code execution in vm2.
A threat actor who exploits this vulnerability will be able to bypass the vm2 sandbox environment and run shell commands on the machine hosting it.
Given the nature of the use cases for sandboxes, it's clear that the vm2 vulnerability can have dire consequences for applications that use vm2 without patching.
Yuval Ostrovsky, Architect at Oxeye, added that "Although sandboxes are meant to run untrusted code within your application, you shouldn't automatically assume that they are safe. If the use of a sandbox is unavoidable, it is recommended to separate the logical sensitive part of your application from the microservice that runs the sandbox code so if a threat actor successfully breaks out from the sandbox, the attack surface is limited to the isolated microservice."