Security News > 2023 > April > New sandbox escape PoC exploit available for VM2 library, patch now

New sandbox escape PoC exploit available for VM2 library, patch now
2023-04-18 14:39

A security researcher has released, yet another sandbox escape proof of concept exploit that makes it possible to execute unsafe code on a host running the VM2 sandbox.

VM2 is a specialized JavaScript sandbox used by a broad range of software tools for running and testing untrusted code in an isolated environment, preventing the code from accessing the host's system resources or external data.

VM2 has had several critical sandbox escape disclosures over the past two weeks discovered by different security researchers, enabling attackers to run malicious code outside the constraints of the sandboxed environment.

The first sandbox escape flaw tracked as CVE-2023-29017 was discovered by Seongil Wi two weeks ago, with the latest two discovered by SeungHyun Lee.

Researchers from Oxeye discovered another sandbox escape tracked as CVE-2022-36067 in October 2022.

It is unclear if the two sandbox escape flaws are entirely new vulnerabilities or if they are caused by incomplete patches for the original CVE-2023-29017 bug discovered by Wi. BleepingComputer has asked Wi and Lee questions about these bugs and will update the story if we receive a response.


News URL

https://www.bleepingcomputer.com/news/security/new-sandbox-escape-poc-exploit-available-for-vm2-library-patch-now/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-04-06 CVE-2023-29017 Unspecified vulnerability in VM2 Project VM2
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.
network
low complexity
vm2-project
critical
9.8
2022-09-06 CVE-2022-36067 Improper Control of Dynamically-Managed Code Resources vulnerability in VM2 Project VM2
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.
network
low complexity
vm2-project CWE-913
critical
10.0