Security News > 2023 > April > New sandbox escape PoC exploit available for VM2 library, patch now
A security researcher has released, yet another sandbox escape proof of concept exploit that makes it possible to execute unsafe code on a host running the VM2 sandbox.
VM2 is a specialized JavaScript sandbox used by a broad range of software tools for running and testing untrusted code in an isolated environment, preventing the code from accessing the host's system resources or external data.
VM2 has had several critical sandbox escape disclosures over the past two weeks discovered by different security researchers, enabling attackers to run malicious code outside the constraints of the sandboxed environment.
The first sandbox escape flaw tracked as CVE-2023-29017 was discovered by Seongil Wi two weeks ago, with the latest two discovered by SeungHyun Lee.
Researchers from Oxeye discovered another sandbox escape tracked as CVE-2022-36067 in October 2022.
It is unclear if the two sandbox escape flaws are entirely new vulnerabilities or if they are caused by incomplete patches for the original CVE-2023-29017 bug discovered by Wi. BleepingComputer has asked Wi and Lee questions about these bugs and will update the story if we receive a response.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-04-06 | CVE-2023-29017 | Improper Control of Dynamically-Managed Code Resources vulnerability in VM2 Project VM2 vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. | 9.8 |
2022-09-06 | CVE-2022-36067 | Improper Control of Dynamically-Managed Code Resources vulnerability in VM2 Project VM2 vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. | 10.0 |