Security News > 2023 > April > Exploit available for critical bug in VM2 JavaScript sandbox library
Proof-of-concept exploit code has been released for a recently disclosed critical vulnerability in the popular VM2 library, a JavaScript sandbox that is used by multiple software to run code securely in a virtualized environment.
The researchers who found that the VM2 library handled improperly the host objects passed to the 'Error.
Exploiting the security issue can lead to bypassing sandbox protections and gaining remote code execution on the host.
"A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," reads the security advisory.
After the release of the new VM2 version that addresses critical vulnerability, KAIST Ph.D student Seongil Wi published on GitHub in a secret repository two variations of the exploit code for CVE-2023-29017.
In October 2022, VM2 suffered from another critical flaw, CVE-2022-36067, which also enabled attackers to escape the sandbox environment and run commands on the host system.
News URL
Related news
- Critical Ivanti RCE flaw with public exploit now used in attacks (source)
- Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits (source)
- Exploit code for critical GitLab auth bypass flaw released (CVE-2024-45409) (source)
- Akira and Fog ransomware now exploit critical Veeam RCE flaw (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-06 | CVE-2023-29017 | Improper Control of Dynamically-Managed Code Resources vulnerability in VM2 Project VM2 vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. | 9.8 |
| 2022-09-06 | CVE-2022-36067 | Improper Control of Dynamically-Managed Code Resources vulnerability in VM2 Project VM2 vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. | 10.0 |