The maintainer of the vm2 JavaScript sandbox module has shipped a patch to address a critical flaw that can be exploited to break security boundaries and execute arbitrary shellcode.
This flaw, which affects all versions up to and including 3.9.14, was reported by researchers at the South Korea-based KAIST WSP Lab on April 6, 2023 and was fixed in version 3.9.15 on Friday. Prompted vm2 to release the program.
vm2 said in the advisory, “Attackers can bypass sandbox protections and gain remote code execution privileges on the host running the sandbox.
This vulnerability has been assigned the identified CVE-2023-29017 and is rated 9.8 on the CVSS scoring system. This issue is due to improper handling of errors that occur in asynchronous functions.
vm2 is a popular library used to run untrusted code in an isolated environment in Node.js. It is downloaded nearly 4 million times each week and used in 721 packages.
Learn How to Protect Your Identity Perimeter – A Proven Strategy
Improve your business security in our upcoming expert-led cybersecurity webinar: Exploring Identity Perimeter Strategies!
Don’t miss it – secure your seat!
KAIST security researcher Seongil Wi has also made available two different variants of proof-of-concept (PoC) exploits for CVE-2023-29017. These bypass sandbox protection and allow you to create an empty file named ‘flag’ on the host. .
This disclosure comes almost six months after vm2 resolved another critical bug (CVE-2022-36067, CVSS score: 10). This bug could have been weaponized to perform arbitrary operations on the underlying machine.
