A new patch for the vm2 JavaScript library is now available to address two critical flaws that can be exploited to break sandbox protection.
Both flaws CVE-2023-29199 and CVE-2023-30547 are rated 9.8 out of 10 on the CVSS scoring system and are addressed in versions 3.9.16 and 3.9.17 respectively.
Successful exploitation of a bug that allows an attacker to raise an unsanitized host exception can be weaponized to escape the sandbox and execute arbitrary code in the host context.
“An attacker can bypass sandbox protections and gain remote code execution privileges on the host running the sandbox,” the vm2 library maintainer said in a warning.
The vulnerability was discovered and reported by security researcher SeungHyun Lee, who has also released proof-of-concept (PoC) exploits for two of the issues in question.
This disclosure comes just over a week after vm2 fixed another sandbox escape flaw (CVE-2023-29017, CVSS score: 9.8) that could have allowed arbitrary code execution on the underlying system. There was a nature
It’s worth noting that Oxeye researchers detailed a critical remote code execution vulnerability in vm2 (CVE-2022-36067, CVSS score: 9.8) late last year. Its codename was Sandbreak.
