A now-patched safety flaw within the vm2 JavaScript sandbox module might be abused by a distant adversary to interrupt out of safety obstacles and carry out arbitrary operations on the underlying machine.
“A menace actor can bypass the sandbox protections to realize distant code execution rights on the host operating the sandbox,” GitHub said in an advisory revealed on September 28, 2022.
The problem, tracked as CVE-2022-36067 and codenamed Sandbreak, carries a most severity score of 10 on the CVSS vulnerability scoring system. It has been addressed in version 3.9.11 launched on August 28, 2022.
vm2 is a popular Node library that is used to run untrusted code with allowlisted built-in modules. It is also probably the most extensively downloaded software program, accounting for almost 3.5 million downloads per week.
The shortcoming is rooted within the error mechanism in Node.js to flee the sandbox, in keeping with software safety agency Oxeye, which discovered the flaw.
Which means that profitable exploitation of CVE-2022-36067 might allow an attacker to bypass the vm2 sandbox surroundings and run shell instructions on the system internet hosting the sandbox.
In mild of the essential nature of the vulnerability, customers are advisable to replace to the newest model as quickly as potential to mitigate potential threats.
“Sandboxes serve totally different functions in fashionable purposes, equivalent to inspecting connected information in electronic mail servers, offering an extra safety layer in internet browsers, or isolating actively operating purposes in sure working programs,” Oxeye stated.
“Given the character of the use instances for sandboxes, it is clear that the vm2 vulnerability can have dire penalties for purposes that use vm2 with out patching.”
