There is a critical vulnerability in the VM2 sandbox that can allow an attacker to gain remote code execution on the host system that’s running a vulnerable version of the sandbox.
The bug affects versions of VM2 prior to 3.9.15 and there is proof-of-concept code available for it publicly. There are no known workarounds for the vulnerability, and users should upgrade to the newest version to protect against exploitation.
VM2 is a sandbox designed to run on Node.js servers and is meant to allow users to run untrusted code in a safe environment. The library is quite popular and is used in a wide range of other projects.
The vulnerability (CVE-2023-29017) is related to the way that VM2 handles some specific objects and errors.
“vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds,” the advisory says.
Researchers at the Korea Advanced Institute of Science and Technology Web Security and Privacy Lab discovered the vulnerability and have published a simple proof-of-concept exploit that can be used against it.
The bug is fixed in version 3.9.15 of VM2.