The maintainers of the vm2 JavaScript sandbox module have shipped a patch to address a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcode.
The flaw, which affects all versions, including and prior to 3.9.14, was reported by researchers from South Korea-based KAIST WSP Lab on April 6, 2023, prompting vm2 to release a fix with version 3.9.15 on Friday.
“A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox,” vm2 disclosed in an advisory.
The vulnerability has been assigned the identified CVE-2023-29017 and is rated 9.8 on the CVSS scoring system. The issue stems from the fact that it does not properly handle errors that occur in asynchronous functions.
vm2 is a popular library that’s used to run untrusted code in an isolated environment on Node.js. It has nearly four million weekly downloads and is used in 721 packages.
Learn to Secure the Identity Perimeter – Proven Strategies
Improve your business security with our upcoming expert-led cybersecurity webinar: Explore Identity Perimeter strategies!
KAIST security researcher Seongil Wi has also made available two different variants of a proof-of-concept (PoC) exploit for CVE-2023-29017 that get around the sandbox protections and allow the creation of an empty file named “flag” on the host.
The disclosure comes almost six months after vm2 resolved another critical bug (CVE-2022-36067, CVSS score: 10) that could have been weaponized to perform arbitrary operations on the underlying machine.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Post Disclaimer
The information provided in our posts or blogs are for educational and informative purposes only. We do not guarantee the accuracy, completeness or suitability of the information. We do not provide financial or investment advice. Readers should always seek professional advice before making any financial or investment decisions based on the information provided in our content. We will not be held responsible for any losses, damages or consequences that may arise from relying on the information provided in our content.