April 8, 2023
Critical Vulnerability in VM2 JS Sandbox Library
A critical vulnerability found in VM2 can be used by a threat actor to bypass the sandbox protections and to execute a remote code on the host running the sandbox.
The vulnerability is caused due to an asynchronous error not being handled properly by VM2 library
The vulnerability in VM2 affects all the packages and repositories using this library.
- CVE-2023-29017 (CVSS 3.1: 10, Critical) – A remote code vulnerability. Exploitation of this vulnerability could lead to potential RCE (Remote Code Execution).
- VM2 sandbox version 3.9.14 and prior.
- CYREBRO urges all clients to updated VM2 to version 3.9.15.
- Update VM2 for each package or repository using this sandbox. See the list here.
- Make sure that each product using this library was updated by the vendors.
The CYREBRO intelligence team is monitoring the situation and will send updates if any significant developments occur.