Researchers Discover Critical Remote Code Execution Flaw in vm2 Sandbox Library

Apr 08, 2023Ravie LakshmananVulnerability / Software

The maintainers of the vm2 JavaScript sandbox module have
shipped a patch to address a critical flaw that could be abused to
break out of security boundaries and execute arbitrary
shellcode.

The flaw, which affects all versions, including and prior to
3.9.14, was reported ^[1]
by researchers from South Korea-based KAIST WSP Lab ^[2] on April 6, 2023,
prompting vm2 to release a fix with version 3.9.15 ^[3]
on Friday.

“A threat actor can bypass the sandbox protections to gain
remote code execution rights on the host running the sandbox,” vm2
disclosed ^[4]
in an advisory.

The vulnerability has been assigned the identified CVE-2023-29017 ^[5]
and is rated 9.8 on the CVSS scoring system. The issue stems from
the fact that it does not properly handle errors that occur in
asynchronous functions.

vm2 is a popular library ^[6]
that’s used to run untrusted code in an isolated environment on
Node.js. It has nearly four million weekly downloads.

UPCOMING WEBINAR

Learn to Secure the Identity Perimeter – Proven Strategies

Improve your business security with our upcoming expert-led
cybersecurity webinar: Explore Identity Perimeter strategies!

Don’t Miss Out – Save Your Seat!^[7]

KAIST security researcher Seongil Wi has also made available
two different variants ^[8]
of a proof-of-concept (PoC) exploit for CVE-2023-29017 that get
around the sandbox protections and allow the creation of an empty
file named “flag” on the host.

The disclosure comes almost six months after vm2 resolved
another critical bug (CVE-2022-36067 ^[9], CVSS score: 10) that
could have been weaponized to perform arbitrary operations on the
underlying machine.

Found this article interesting? Follow us on Twitter ^[10] and LinkedIn ^[11] to read more exclusive
content we post.