The library is established to run untrusted code in an apart context on Node.js servers. It allows partial execution of the code and prevents unapproved access to system resources or to external details.
Optimum severity level
Tracked as CVE-2023-29017, the simply recently fixed vulnerability got the optimal severity score of 10.0. It was discovered by the research study hall at Korea Advanced Institute of Science and Development (KAIST).
The researchers found that the VM2 library handled improperly the host things passed to the ‘Error.prepareStackTrace’ function when an asynchronous error takes place.
Using the security issue can trigger bypassing sandbox securities and obtaining remote code execution on the host.
” A risk star can bypass the sandbox securities to get remote code execution rights on the host running the sandbox,” checks out the security advisory
The issue impacts all variations of VM2 from 3.9.14 and older. The concern has in fact been handled with the release of a new variation of the library, 3.9.15. There is no workaround easily offered.
Use code easily offered
After the release of the new VM2 variation that handles essential vulnerability, KAIST Ph.D student Seongil Wi launched on GitHub in a secret repository 2 variations of the use code for CVE-2023-29017.
The PoCs, in their launched type, simply produce a new file called ‘flag’ on the host system, revealing that VM2’s sandbox securities can be bypassed, allowing the execution of commands to produce approximate files on the host system.
In October 2022, VM2 had problem with another essential problem, CVE-2022-36067, which also enabled assailants to leave the sandbox environment and run commands on the host system. That issue was also fixed immediately with the release of a new variation of the library.