Security News > 2023 > April > Critical Flaws in vm2 JavaScript Library Can Lead to Remote Code Execution
A fresh round of patches has been made available for the vm2 JavaScript library to address two critical flaws that could be exploited to break out of the sandbox protections.
Both the flaws - CVE-2023-29199 and CVE-2023-30547 - are rated 9.8 out of 10 on the CVSS scoring system and have been addressed in versions 3.9.16 and 3.9.17, respectively.
Successful exploitation of the bugs, which allow an attacker to raise an unsanitized host exception, could be weaponized to escape the sandbox and run arbitrary code in the host context.
"A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," the maintainers of the vm2 library said in an alert.
The disclosure comes a little over a week after vm2 remediated another sandbox escape flaw that could lead to the execution of arbitrary code on the underlying system.
It's worth noting that researchers from Oxeye detailed a critical remote code execution vulnerability in vm2 late last year that was codenamed Sandbreak.
News URL
https://thehackernews.com/2023/04/critical-flaws-in-vm2-javascript.html
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-17 | CVE-2023-30547 | Unspecified vulnerability in VM2 Project VM2 vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. | 10.0 |
| 2023-04-14 | CVE-2023-29199 | Improper Control of Dynamically-Managed Code Resources vulnerability in VM2 Project VM2 There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. | 10.0 |