A critical vulnerability in vm2 might let a remote attacker bypass the sandbox environment and execute shell commands on the device hosting the sandbox.
About the Vulnerability
The most widely used Javascript sandbox library is vm2, which receives over 17.5 million downloads per month. It offers a widely used software testing platform that may synchronously execute untrusted code in a single process.
A significant sandbox escape vulnerability that permits remote code execution was discovered in vm2 by the Oxeye research team. The project owners were informed of the vulnerability, which was quickly fixed in version 3.9.11. Users are on high alert after GitHub published warning CVE-2022-36067 for this vulnerability and assigned it a CVSS score of 10.
The researchers could also replace the global Error object with their own version, which also had a custom prepareStackTrace function. When it was called, it would discover a CallSite object outside the sandbox, allowing arbitrary code to be executed on the host.
To reduce the risk, the prepareStackTrace function of the Error object and the called method were wrapped by the vm2 implementation so that users couldn’t override them. A hacker might still provide their own implementation of the prepareStackTrace method and bypass the sandbox because vm2 did not cover all specified methods.
Mitigations
Oxeye requests that all vm2 sandbox instances in their environments be patched by AppSec engineers, R&D managers, and security experts.
Leave A Comment