Security News > 2022 > October > Critical VM2 flaw lets attackers run code outside the sandbox
Researchers are warning of a critical remote code execution flaw in 'vm2', a JavaScript sandbox library downloaded over 16 million times per month via the NPM package repository.
The vm2 vulnerability is tracked as CVE-2022-36067 and received a severity rating of 10.0, the maximum score in the CVSS system, as it could allow attackers to escape the sandbox environment and run commands on a host system.
Security researchers at Oxeye have found a clever way to customize the call stack of an error that occurs in VM2 to generate "CallSite" objects created outside the sandbox and use them to access Node's global objects and execute commands.
The analysts found that it's also possible to override the global Error object with a custom object that implements the "PrepareStackTrace" function, again accessing "CallSite" objects created outside the sandbox and running commands in the current process.
Oxeye's research team discovered this critical problem on August 16, 2022, and reported it to the VM2 team a couple of days later, who confirmed they had launched an investigation.
If you use a sandbox solution, check if it relies on VM2 and whether it's using the latest version.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-09-06 | CVE-2022-36067 | Improper Control of Dynamically-Managed Code Resources vulnerability in VM2 Project VM2 vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. | 10.0 |