Security News > 2022 > October > Researchers Detail Critical RCE Flaw Reported in Popular vm2 JavaScript Sandbox

Researchers Detail Critical RCE Flaw Reported in Popular vm2 JavaScript Sandbox
2022-10-11 11:28

A now-patched security flaw in the vm2 JavaScript sandbox module could be abused by a remote adversary to break out of security barriers and perform arbitrary operations on the underlying machine.

"A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," GitHub said in an advisory published on September 28, 2022.

Vm2 is a popular Node library that's used to run untrusted code with allowlisted built-in modules.

The shortcoming is rooted in the error mechanism in Node.js to escape the sandbox, according to application security firm Oxeye, which discovered the flaw.

This means that successful exploitation of CVE-2022-36067 could permit an attacker to bypass the vm2 sandbox environment and run shell commands on the system hosting the sandbox.

"Given the nature of the use cases for sandboxes, it's clear that the vm2 vulnerability can have dire consequences for applications that use vm2 without patching."


News URL

https://thehackernews.com/2022/10/researchers-detail-critical-rce-flaw.html

Related news

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-09-06 CVE-2022-36067 Improper Control of Dynamically-Managed Code Resources vulnerability in VM2 Project VM2
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.
network
low complexity
vm2-project CWE-913
critical
 10.0
10