Key takeaway: “Although sandboxes are meant to run untrusted code within your application, you shouldn’t automatically assume that they are safe.”—Oxeye [260 words]
What: Organizations using JavaScript sandbox vm2 should immediately update to version 3.9.11 of vm2.
Why: A critical vulnerability (CVE-2022-36067) exists in all previous versions of vm2 that gives remote attackers a way to escape the sandbox and execute arbitrary code on the underlying host system. The vulnerability is tied to improper exception handling. GitHub has assigned the vulnerability a maximum severity rating of 10.0 on the CVSS scale. There are no known workarounds.
Researchers from Oxeye discovered the vulnerability and disclosed it to the project owner on August 18, two days after discovering it. Oxeye has dubbed the bug ‘Sandbreak”. They have described the vulnerability as potentially having a very wide impact because of fact that it has more than 16 million downloads on average every single month. “Given the nature of the use cases for sandboxes, it’s clear that the vm2 vulnerability can have dire consequences for applications that use it,” according to Oxeye.
Oxeye will publish technical details of the blog later this week
Of note: RedHat has issued a separate advisory with a list of services affected by the vm2 bug. “This flaw allows an attacker to bypass the sandbox protections and gain remote code execution on the hypervisor host or the host which is running the sandbox,” RedHat said
Further reading:
