Researchers detail critical RCE flaw reported in popular vm2 JavaScript sandbox



October 11, 2022Rabbi Lakshmanan

vm2 JavaScript sandbox

A currently patched security flaw in the vm2 JavaScript sandbox module could be exploited by a remote adversary to breach the security barrier and take arbitrary actions on the underlying machine.

In an advisory published on September 28, 2022, GitHub said, “Attackers can bypass sandbox protections and gain remote code execution privileges on the host running the sandbox.

cyber security

The issue, tracked as CVE-2022-36067 and codenamed Sandbreak, has a maximum severity rating of 10 in the CVSS vulnerability scoring system. This issue is resolved in version 3.9.11, released on August 28, 2022.

vm2 is a popular Node library used to run untrusted code using whitelisted built-in modules. It is also one of the most widely downloaded software, with nearly 3.5 million downloads per week.

vm2 JavaScript sandbox

According to application security firm Oxeye, who discovered the flaw, the shortcoming is due to Node.js’s error mechanism for evading sandboxes.

This means that successful exploitation of CVE-2022-36067 could allow an attacker to bypass the vm2 sandbox environment and execute shell commands on the system hosting the sandbox.

In light of the serious nature of the vulnerability, users are advised to update to the latest version as soon as possible to mitigate any possible threat.

According to Oxeye, “Sandboxing can be used in many ways in modern applications, such as inspecting attachments on email servers, providing an extra layer of security in web browsers, or isolating applications actively running on a given operating system. serve a purpose.

“Given the nature of the sandbox use case, it’s clear that vulnerabilities in vm2 could have disastrous consequences for applications that use vm2 unpatched.”

Did you find this article interesting?Please follow us twitter and LinkedIn to read more exclusive content we post.


Source link

What do you think?

Leave a Reply

GIPHY App Key not set. Please check settings

    hBKETPUQvfojMyGz72SXrD 1200 80

    Hulu: How to sign up, apps, devices, shows, plans and more

    eCommerce Website Design article image

    Ecommerce Website Design Best Practices and Examples – Forbes Advisors