Security News > 2023 > April > Researchers Discover Critical Remote Code Execution Flaw in vm2 Sandbox Library
The maintainers of the vm2 JavaScript sandbox module have shipped a patch to address a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcode.
The flaw, which affects all versions, including and prior to 3.9.14, was reported by researchers from South Korea-based KAIST WSP Lab on April 6, 2023, prompting vm2 to release a fix with version 3.9.15 on Friday.
"A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," vm2 disclosed in an advisory.
Vm2 is a popular library that's used to run untrusted code in an isolated environment on Node.js.
KAIST security researcher Seongil Wi has also made available two different variants of a proof-of-concept exploit for CVE-2023-29017 that get around the sandbox protections and allow the creation of an empty file named "Flag" on the host.
The disclosure comes almost six months after vm2 resolved another critical bug that could have been weaponized to perform arbitrary operations on the underlying machine.
News URL
https://thehackernews.com/2023/04/researchers-discover-critical-remote.html
Related news
- Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution (source)
- Critical Flaw in Microchip ASF Exposes IoT Devices to Remote Code Execution Risk (source)
- Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications (source)
- Google Fixes GCP Composer Flaw That Could've Led to Remote Code Execution (source)
- That doomsday critical Linux bug: It's CUPS. Could lead to remote hijacking of devices (source)
- That doomsday critical Linux bug: It's CUPS. May lead to remote hijacking of devices (source)
- CUPS flaws enable Linux remote code execution, but there’s a catch (source)
- Critical Linux CUPS Printing System Flaws Could Allow Remote Command Execution (source)
- Critical Flaws in Tank Gauge Systems Expose Gas Stations to Remote Attacks (source)
- Researchers Warn of Ongoing Attacks Exploiting Critical Zimbra Postjournal Flaw (source)