Security News > 2023 > April > Popular server-side JavaScript security sandbox “vm2” patches remote execution hole

Popular server-side JavaScript security sandbox “vm2” patches remote execution hole
2023-04-09 00:28

Back in 2022, about a code execution hole in the widely-used JavaScript sandbox system vm2.

Your web browser is a good example of a sandbox, which is how it keeps control over JavaScript programs that it downloads and runs from remote websites.

Website JavaScript can ask to use your audio-visual hardware, but by default it won't get access unless you agree via a popup that can't be controlled from JavaScript.

The vm2 package is meant to provide a similar sort of restrictive environment for JavaScript that runs outside your browser, but that may nevertheless come from untrusted or semi-trusted sources, and therefore needs to be kept on a tight leash.

This new CVE-2023-29017 bug in vm2 meant that a JavaScript function in the sandbox that was supposed to help you tidy up after errors when running background tasks.

Js JavaScript applications that you don't manage and build yourself, and you aren't sure whether they use vm2 or not, contact your vendor for advice.


News URL

https://nakedsecurity.sophos.com/2023/04/09/popular-server-side-javascript-security-sandbox-vm2-patches-remote-execution-hole/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-04-06 CVE-2023-29017 Improper Control of Dynamically-Managed Code Resources vulnerability in VM2 Project VM2
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.
network
low complexity
vm2-project CWE-913
critical
9.8