CVE-2023-30547: Critical Security Flaw in Popular JavaScript Sandbox Module vm2

A critical security vulnerability has been discovered in the popular vm2 JavaScript sandbox module, which is used to run untrusted code in isolated environments on Node.js. With nearly four million weekly downloads and being integrated into 721 packages, this vulnerability has the potential to impact a vast number of developers and applications. Identified as CVE-2023-30547 and rated 9.8 on the CVSS scoring system, this flaw could enable attackers to break out of security boundaries and execute arbitrary shellcodes.

Discovery and Patch

The critical flaw was reported on April 17, 2023, by researchers from the South Korea-based KAIST WSP Lab. In response, the maintainers of the vm2 module quickly released a patch with version 3.9.17. The vulnerability affects all versions up to and including 3.9.16, and there are no known workarounds. Users are advised to upgrade to the patched version immediately.

Technical Analysis

The vulnerability lies in the exception sanitization process of vm2. When host exceptions may leak host objects into the sandbox, code is preprocessed with the transformer() function to instrument the code with handleException() sanitizer function calls. For CatchClause with ObjectPattern, the code calls handleException() and then re-throws the sanitized exception inside a nested try-catch.

The handleException() function is an alias of thisEnsureThis(), which in turn calls thisReflectGetPrototypeOf(other) to access the object’s prototype. However, this may be proxied through a getPrototypeOf() proxy handler, which can by itself throw an unsanitized host exception, resulting in the outer catch statement receiving it.

An attacker can exploit this vulnerability by raising a non-proxied host exception inside a getPrototypeOf() proxy handler, registering it to an object, and throwing it to leak host exception. Once the host exception is leaked, the attacker can use it to access the host Function, ultimately escaping the sandbox.

KAIST security researcher Seongil Wi has also made available a proof-of-concept (PoC) exploit for the CVE-2023-30547 flaw.

Impact and Mitigation

The exploitation of this vulnerability could lead to Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of the vm2 sandbox. As a result, it is crucial that users update their vm2 module to version 3.9.17 or later to mitigate the risk of remote code execution.

Developers and application maintainers should be aware of this vulnerability and take the necessary steps to update their systems promptly. By upgrading to the patched version, they can prevent potential security breaches and protect their applications from potential attacks exploiting this critical flaw.