CVE-2023-29017: Critical RCE Flaw in Popular vm2 JavaScript Sandbox
In the ever-evolving landscape of cybersecurity, new vulnerabilities are constantly being discovered, posing a continuous challenge for developers and security professionals alike. One such recently disclosed security vulnerability, CVE-2023-29017, has caught the attention of the cybersecurity community. With a CVSS score of 10, the vm2 Sandbox Escape vulnerability is a significant concern for users of this popular sandboxing tool.
vm2 is a powerful sandboxing tool designed to run untrusted code with whitelisted Node’s built-in modules, ensuring a secure environment for the execution of potentially dangerous scripts. As one of the most widely downloaded software packages, it accounts for nearly 3.5 million downloads per week, making its security paramount for countless developers and organizations.
Photo by Markus Spiske on Unsplash
The research team at KAIST WSP Lab recently discovered a critical security flaw in vm2 prior to version 3.9.15. This vulnerability stems from the improper handling of host objects passed to Error.prepareStackTrace in the case of unhandled async errors. By exploiting this weakness, a threat actor can bypass the sandbox’s protections and gain remote code execution rights on the host running the sandbox.
“A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox,” the developer wrote in an advisory published on April 7, 2023.
Proof-of-concept exploit codes have been made available, demonstrating the gravity of this vulnerability and the potential risk it poses to users.
Fortunately, the vm2 developers have been quick to address this issue. The release of version 3.9.15 of vm2 includes a patch that effectively mitigates the risk posed by CVE-2023-29017. Users are strongly advised to update their software to the latest version to ensure their environment is secure from this particular threat.
It’s important to note that there are no known workarounds for this vulnerability, making the update to the patched version the only viable solution for safeguarding your systems.
