Security News > 2023 > April > Critical Flaws in vm2 JavaScript Library Can Lead to Remote Code Execution

Critical Flaws in vm2 JavaScript Library Can Lead to Remote Code Execution
2023-04-19 04:53

A fresh round of patches has been made available for the vm2 JavaScript library to address two critical flaws that could be exploited to break out of the sandbox protections.

Both the flaws - CVE-2023-29199 and CVE-2023-30547 - are rated 9.8 out of 10 on the CVSS scoring system and have been addressed in versions 3.9.16 and 3.9.17, respectively.

Successful exploitation of the bugs, which allow an attacker to raise an unsanitized host exception, could be weaponized to escape the sandbox and run arbitrary code in the host context.

"A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," the maintainers of the vm2 library said in an alert.

The disclosure comes a little over a week after vm2 remediated another sandbox escape flaw that could lead to the execution of arbitrary code on the underlying system.

It's worth noting that researchers from Oxeye detailed a critical remote code execution vulnerability in vm2 late last year that was codenamed Sandbreak.


News URL

https://thehackernews.com/2023/04/critical-flaws-in-vm2-javascript.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-04-17 CVE-2023-30547 Unspecified vulnerability in VM2 Project VM2
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.
network
low complexity
vm2-project
critical
10.0
2023-04-14 CVE-2023-29199 Unspecified vulnerability in VM2 Project VM2
There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context.
network
low complexity
vm2-project
critical
10.0