Security News > 2023 > April > Popular server-side JavaScript security sandbox “vm2” patches remote execution hole
Back in 2022, about a code execution hole in the widely-used JavaScript sandbox system vm2.
Your web browser is a good example of a sandbox, which is how it keeps control over JavaScript programs that it downloads and runs from remote websites.
Website JavaScript can ask to use your audio-visual hardware, but by default it won't get access unless you agree via a popup that can't be controlled from JavaScript.
The vm2 package is meant to provide a similar sort of restrictive environment for JavaScript that runs outside your browser, but that may nevertheless come from untrusted or semi-trusted sources, and therefore needs to be kept on a tight leash.
This new CVE-2023-29017 bug in vm2 meant that a JavaScript function in the sandbox that was supposed to help you tidy up after errors when running background tasks.
Js JavaScript applications that you don't manage and build yourself, and you aren't sure whether they use vm2 or not, contact your vendor for advice.
News URL
Related news
- VMware patches remote make-me-root holes in vCenter Server, Cloud Foundation (source)
- Russian security firm Dr.Web disconnects all servers after breach (source)
- Windows Server 2025 previews security updates without restarts (source)
- Microsoft fixes Remote Desktop issues caused by Windows Server update (source)
- Security Flaw in Styra's OPA Exposes NTLM Hashes to Remote Attackers (source)
- Perfctl malware strikes again as crypto-crooks target Docker Remote API servers (source)