The library is designed to run untrusted code in an remoted context on Node.js servers. It permits partial execution of the code and prevents unauthorized entry to system assets or to exterior information.
Most severity stage
Tracked as CVE-2023-29017, the lately mounted vulnerability obtained the utmost severity rating of 10.0. It was found by the analysis group at Korea Superior Institute of Science and Expertise (KAIST).
The researchers discovered that the VM2 library dealt with improperly the host objects handed to the ‘Error.prepareStackTrace’ perform when an asynchronous error happens.
Exploiting the safety difficulty can result in bypassing sandbox protections and gaining distant code execution on the host.
“A risk actor can bypass the sandbox protections to achieve distant code execution rights on the host operating the sandbox,” reads the security advisory.
The difficulty impacts all variations of VM2 from 3.9.14 and older. The problem has been addressed with the discharge of a brand new model of the library, 3.9.15. There isn’t a workaround accessible.
Exploit code accessible
After the discharge of the brand new VM2 model that addresses vital vulnerability, KAIST Ph.D pupil Seongil Wi revealed on GitHub in a secret repository two variations of the exploit code for CVE-2023-29017.
The PoCs, of their revealed type, merely create a brand new file named ‘flag’ on the host system, proving that VM2’s sandbox protections may be bypassed, permitting the execution of instructions to create arbitrary recordsdata on the host system.
In October 2022, VM2 suffered from one other vital flaw, CVE-2022-36067, which additionally enabled attackers to flee the sandbox surroundings and run instructions on the host system. That difficulty was additionally mounted swiftly with the discharge of a brand new model of the library.