April 19, 2023

Two Critical Vulnerabilities in VM2 JS Sandbox Library

Two critical vulnerabilities have been discovered in the VM2 JS Sandbox Library. Successful exploitation of these vulnerabilities could lead to a threat actor to escape the sandbox and execute a remote code on the host running the sandbox.

VM2 library is a JavaScript sandbox that is used by multiple software to run code securely in a virtualized environment. It is the most widely used JavaScript sandbox library worldwide, which receives about 17.5 million downloads each month.

The vulnerability in VM2 affects all the packages and repositories using this library.

The Vulnerability

• CVE-2023-29199 (CVSS 3.1: 9.8, critical) – A vulnerability in source code transformer (exception sanitization logic) of VM2, allowing a threat actor to bypass “handleException()” and leak unsensitized host exceptions.
• CVE-2023-30547 (CVSS 3.1: 9.8, critical) – A  vulnerability in exception sanitization of VM2, allowing a threat actor to raise an unsensitized host exception inside “handleException()”.

Vulnerable Products

• VM2 sandbox version 3.9.16 and prior.

Mitigation

1. CYREBRO recommends updating VM2 to version 3.9.17.
2. Update VM2 for each package or repository using this sandbox. See the list here.
3. Make sure that each product using this library was updated by the vendors.

The CYREBRO intelligence team is monitoring the situation and will send updates if any significant developments occur.

References: NIST, CVE MITRE