April 19, 2023
Two Critical Vulnerabilities in VM2 JS Sandbox Library
Two critical vulnerabilities have been discovered in the VM2 JS Sandbox Library. Successful exploitation of these vulnerabilities could lead to a threat actor to escape the sandbox and execute a remote code on the host running the sandbox.
The vulnerability in VM2 affects all the packages and repositories using this library.
- CVE-2023-29199 (CVSS 3.1: 9.8, critical) – A vulnerability in source code transformer (exception sanitization logic) of VM2, allowing a threat actor to bypass “handleException()” and leak unsensitized host exceptions.
- CVE-2023-30547 (CVSS 3.1: 9.8, critical) – A vulnerability in exception sanitization of VM2, allowing a threat actor to raise an unsensitized host exception inside “handleException()”.
- VM2 sandbox version 3.9.16 and prior.
- CYREBRO recommends updating VM2 to version 3.9.17.
- Update VM2 for each package or repository using this sandbox. See the list here.
- Make sure that each product using this library was updated by the vendors.
The CYREBRO intelligence team is monitoring the situation and will send updates if any significant developments occur.