April 8, 2023

Critical Vulnerability in VM2 JS Sandbox Library

A critical vulnerability found in VM2 can be used by a threat actor to bypass the sandbox protections and to execute a remote code on the host running the sandbox.
The vulnerability is caused due to an asynchronous error not being handled properly by VM2 library

VM2 library is a JavaScript sandbox that is used by multiple software to run code securely in a virtualized environment. It is the most widely used JavaScript sandbox library worldwide, which receives about 17.5 million downloads each month.

The vulnerability in VM2 affects all the packages and repositories using this library.

The Vulnerability

• CVE-2023-29017 (CVSS 3.1: 10, Critical) – A remote code vulnerability. Exploitation of this vulnerability could lead to potential RCE (Remote Code Execution).

Vulnerable Products

• VM2 sandbox version 3.9.14 and prior.

Mitigation

1. CYREBRO urges all clients to updated VM2 to version 3.9.15.
2. Update VM2 for each package or repository using this sandbox. See the list here.
3. Make sure that each product using this library was updated by the vendors.

The CYREBRO intelligence team is monitoring the situation and will send updates if any significant developments occur.

References: NIST|GitHub