Critical VM2 Flaw Lets Attackers Run Code Outside the Sandbox
upstart writes:
Critical VM2 flaw lets attackers run code outside the sandbox:
Researchers are warning of a critical remote code execution flaw in 'vm2', a JavaScript sandbox library downloaded over 16 million times per month via the NPM package repository.
The vm2 vulnerability is tracked as CVE-2022-36067 and received a severity rating of 10.0, the maximum score in the CVSS system, as it could allow attackers to escape the sandbox environment and run commands on a host system.
Sandboxes are meant to be an isolated environment that is walled off from the rest of the operating system. However, as developers commonly use sandboxes to run or test potentially unsafe code, the ability to "escape" from this confined environment and execute code on the host is a massive security problem.
[...] "The reporter's POC bypassed the logic above since vm2 missed wrapping specific methods related to the "WeakMap" JavaScript built-in type," the researchers explain in their report.
"This allowed the attacker to provide their own implementation of "prepareStackTrace," then trigger an error, and escape the sandbox."
[...] Software developers are urged to update to the latest VM2 version and replace older releases in their projects as soon as possible.
For end users, it is important to note that it could take a while before virtualization software tools relying on VM2 apply the available security update.
As we saw with Log4Shell, a critical security problem in a widely deployed open-source library may persist for extended periods without the impacted users even knowing they're vulnerable due to the obscurity in the supply chain.
If you use a sandbox solution, check if it relies on VM2 and whether it's using the latest version.
Secure javascript????
Read more of this story at SoylentNews.