CVE-2023-29199: Critical Sandbox Escape Vulnerability in VM2 library

CVE-2023-29199

A critical vulnerability with a CVSS score of 9.8 has been uncovered in the widely-used VM2 library. This JavaScript sandbox, designed to run untrusted code securely in a virtualized environment, is now at the center of a potential security crisis. With over 16 million monthly downloads and a wide range of applications, the repercussions of this vulnerability could be far-reaching.

The vulnerability, dubbed CVE-2023-29199, affects VM2 versions up to 3.9.15 and resides in the library’s source code transformer, specifically in the exception sanitization logic. This flaw allows attackers to bypass the handleException() function and leak unsanitized host exceptions. The result? A gateway for threat actors to escape the sandbox and execute arbitrary code in the host context. The discovery and disclosure of this critical vulnerability are thanks to Xion (SeungHyun Lee) of the KAIST Hacking Lab.

As if the discovery of the vulnerability wasn’t concerning enough, a security researcher has released proof-of-concept exploit code on GitHub in a secret repository. This move has raised the stakes, as it makes it easier for malicious actors to take advantage of the vulnerability and wreak havoc in the digital world.

The consequences of CVE-2023-29199 are dire. By exploiting this vulnerability, an attacker can bypass the sandbox protections, gain remote code execution rights on the host running the sandbox, and potentially compromise the security of applications that rely on VM2. From integrated development environments (IDEs) and code editors to function-as-a-service (FaaS) solutions, pen-testing frameworks, security tools, and various JavaScript-related products, the impact is extensive and alarming.

Fortunately, the vulnerability has been patched in the release of version 3.9.16 of VM2. However, the release of the exploit code means that developers and organizations must act swiftly to update their systems, ensuring that they are protected from the potential exploits that could arise from this vulnerability.

With no available workarounds for CVE-2023-29199, it is imperative for users of VM2 to update to the latest version as soon as possible to mitigate the risks associated with this vulnerability.

CVE-2023-29199 highlights the potential dangers of running untrusted code in a virtualized environment. With the release of exploit code and the widespread usage of VM2, it’s crucial for developers and organizations to take swift action in updating their systems to the latest patched version.