Security News > 2023 > April > Popular server-side JavaScript security sandbox “vm2” patches remote execution hole
Back in 2022, about a code execution hole in the widely-used JavaScript sandbox system vm2.
Your web browser is a good example of a sandbox, which is how it keeps control over JavaScript programs that it downloads and runs from remote websites.
Website JavaScript can ask to use your audio-visual hardware, but by default it won't get access unless you agree via a popup that can't be controlled from JavaScript.
The vm2 package is meant to provide a similar sort of restrictive environment for JavaScript that runs outside your browser, but that may nevertheless come from untrusted or semi-trusted sources, and therefore needs to be kept on a tight leash.
This new CVE-2023-29017 bug in vm2 meant that a JavaScript function in the sandbox that was supposed to help you tidy up after errors when running background tasks.
Js JavaScript applications that you don't manage and build yourself, and you aren't sure whether they use vm2 or not, contact your vendor for advice.
News URL
Related news
- Microsoft fixes Remote Desktop issues caused by Windows Server update (source)
- Security Flaw in Styra's OPA Exposes NTLM Hashes to Remote Attackers (source)
- Perfctl malware strikes again as crypto-crooks target Docker Remote API servers (source)
- Security Flaws in Popular ML Toolkits Enable Server Hijacks, Privilege Escalation (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-06 | CVE-2023-29017 | Improper Control of Dynamically-Managed Code Resources vulnerability in VM2 Project VM2 vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. | 9.8 |