Critical Flaws In vm2 JavaScript Library Can Lead to Remote Code Execution

Critical Flaws In vm2 JavaScript Library Can Lead to Remote Code Execution

Two severe vulnerabilities that might be exploited to bypass the sandbox safeguards have been patched in the vm2 JavaScript library.

Both the flaws – CVE-2023-29199 and CVE-2023-30547 – are rated 9.8 out of 10 on the CVSS scoring system and have been addressed in versions 3.9.16 and 3.9.17, respectively.

Successful exploitation of the bugs, which allow an attacker to raise an unsanitized host exception, could be weaponized to escape the sandbox and run arbitrary code in the host context.

“A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox,” the maintainers of the vm2 library said in an alert.

ALSO, READ Shein’s Android App Caught Transmitting Clipboard Data to Remote Servers

Credited with discovering and reporting the vulnerabilities is security researcher SeungHyun Lee, who has also released proof-of-concept (PoC) exploits for the two issues in question.

Critical Flaws In vm2 JavaScript Library Can Lead to Remote Code Execution

The disclosure comes a little over a week after vm2 remediated another sandbox escape flaw (CVE-2023-29017, CVSS score: 9.8) that could lead to the execution of arbitrary code on the underlying system.

It’s worth noting that researchers from Oxeye detailed a critical remote code execution vulnerability in vm2 late last year (CVE-2022-36067, CVSS score: 9.8) that was codenamed Sandbreak.