Security News > 2023 > April > New sandbox escape PoC exploit available for VM2 library, patch now
A security researcher has released, yet another sandbox escape proof of concept exploit that makes it possible to execute unsafe code on a host running the VM2 sandbox.
VM2 is a specialized JavaScript sandbox used by a broad range of software tools for running and testing untrusted code in an isolated environment, preventing the code from accessing the host's system resources or external data.
VM2 has had several critical sandbox escape disclosures over the past two weeks discovered by different security researchers, enabling attackers to run malicious code outside the constraints of the sandboxed environment.
The first sandbox escape flaw tracked as CVE-2023-29017 was discovered by Seongil Wi two weeks ago, with the latest two discovered by SeungHyun Lee.
Researchers from Oxeye discovered another sandbox escape tracked as CVE-2022-36067 in October 2022.
It is unclear if the two sandbox escape flaws are entirely new vulnerabilities or if they are caused by incomplete patches for the original CVE-2023-29017 bug discovered by Wi. BleepingComputer has asked Wi and Lee questions about these bugs and will update the story if we receive a response.
News URL
Related news
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- Mitel MiCollab zero-day and PoC exploit unveiled (source)
- PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files (source)
- 390,000+ WordPress Credentials Stolen via Malicious GitHub Repository Hosting PoC Exploits (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-04-06 | CVE-2023-29017 | Unspecified vulnerability in VM2 Project VM2 vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. | 9.8 |
2022-09-06 | CVE-2022-36067 | Improper Control of Dynamically-Managed Code Resources vulnerability in VM2 Project VM2 vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. | 10.0 |