Critical RCE Vulnerability with Max CVSS Score in VM2 Sandbox Library

Home/Security Advisory, Security Update, Tips, vulnerability/Critical RCE Vulnerability with Max CVSS Score in VM2 Sandbox Library

Critical RCE Vulnerability with Max CVSS Score in VM2 Sandbox Library

A critical vulnerability in vm2 might let a remote attacker bypass the sandbox environment and execute shell commands on the device hosting the sandbox

About the Vulnerability

The most widely used Javascript sandbox library is vm2, which receives over 17.5 million downloads per month. It offers a widely used software testing platform that may synchronously execute untrusted code in a single process.

A significant sandbox escape vulnerability that permits remote code execution was discovered in vm2 by the Oxeye research team. The project owners were informed of the vulnerability, which was quickly fixed in version 3.9.11. Users are on high alert after GitHub published warning CVE-2022-36067 for this vulnerability and assigned it a CVSS score of 10.

The researchers could also replace the global Error object with their own version, which also had a custom prepareStackTrace function. When it was called, it would discover a CallSite object outside the sandbox, allowing arbitrary code to be executed on the host. 

To reduce the risk, the prepareStackTrace function of the Error object and the called method were wrapped by the vm2 implementation so that users couldn’t override them. A hacker might still provide their own implementation of the prepareStackTrace method and bypass the sandbox because vm2 did not cover all specified methods. 


Oxeye requests that all vm2 sandbox instances in their environments be patched by AppSec engineers, R&D managers, and security experts. 

By | 2022-10-12T20:22:35+05:30 October 12th, 2022|Security Advisory, Security Update, Tips, vulnerability|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!