CVE-2023-37466: Critical Sandbox Escape Vulnerabilities in VM2 Library

In the realm of cybersecurity, nothing reverberates more fiercely than the clamor of security vulnerabilities surfacing. This time, the alarm bells ring for VM2, a popular Node.js sandbox library widely utilized in integrated development environments (IDEs), code editors, security tools, and an array of penetration testing frameworks. With millions of downloads per month from the NPM package repository, the stakes are indeed high, and the news of the discovery of two critical sandbox escape vulnerabilities will undeniably cause a stir in the tech community.

During a week characterized by relentless scrutiny and intense vulnerability detection efforts, VM2 fell under the discerning gaze of SeungHyun Lee, a dedicated security researcher from KAIST Hacking Lab, more commonly known as Xion.

The first of Xion’s startling discoveries, assigned the identifier CVE-2023-37466 and brandishing a critical CVSS score of 9.8, exposed the VM2’s sandbox, allowing rogue elements to bypass Promise handler sanitization. This effectively granted attackers the ability to circumvent the sandbox’s protective environment and execute arbitrary code— an audacious jailbreak from the very heart of the sandbox’s stronghold. CVE-2023-37466 bug impacts all library versions from 3.9.16 and earlier.

What followed in Xion’s painstaking research is another daring revelation: a second sandbox escape flaw bearing no CVE number. The security shortcoming was a gaping chasm that allowed the Node.js custom inspect function to be manipulated, facilitating the potential escape of assailants from the sandbox’s confines, thereby paving the way for the execution of arbitrary code.

Regrettably, at this juncture, no patches or workarounds have been made available to mitigate these critical vulnerabilities. A detailed Proof of Concept (PoC) for both escape flaws is set to be disclosed on or after the 8th of August, a revelation anxiously anticipated by the tech world.

For security issues that cannot be properly resolved, XmiliaH will discontinue maintaining this library. All users, package maintainers, and software developers whose projects incorporate the VM2 library are recommended to move to isolated-vm project.