Critical Vulnerability in VM2 JavaScript Sandbox Library Exploitable

April 7, 2023

A proof-of-concept (PoC) exploit has been released for a recently disclosed critical vulnerability in the popular VM2 library, a JavaScript sandbox used to run code securely in a virtualized environment. The library, with over 16 million monthly downloads via the NPM package repository, is used by integrated development environments (IDEs), code editors, function-as-a-service (FaaS) solutions, pen-testing frameworks, security tools, and various JavaScript-related products. The vulnerability, tracked as CVE-2023-29017, has a severity score of 10.0 and was discovered by researchers at the Korea Advanced Institute of Science and Technology (KAIST). Exploiting this security issue can lead to bypassing sandbox protections and gaining remote code execution on the host.

The VM2 library is designed to run untrusted code in an isolated context on Node.js servers, allowing partial execution of the code and preventing unauthorized access to system resources or external data. The vulnerability was found to be caused by improper handling of host objects passed to the 'Error.prepareStackTrace' function when an asynchronous error occurs. The security advisory states, “A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.” The issue affects all versions of VM2 from 3.9.14 and older. A new version of the library, 3.9.15, has been released to address the problem, with no workaround available.

Seongil Wi, a KAIST Ph.D. student, published two variations of the exploit code for CVE-2023-29017 on GitHub in a secret repository after the release of the new VM2 version. The PoCs, in their published form, simply create a new file named 'flag' on the host system, proving that VM2’s sandbox protections can be bypassed, allowing the execution of commands to create arbitrary files on the host system.

In October 2022, VM2 faced another critical flaw, CVE-2022-36067, which also enabled attackers to escape the sandbox environment and run commands on the host system. That issue was also fixed swiftly with the release of a new version of the library.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.