Attackers could quickly attack systems with the JavaScript sandbox vm2 and break out of the sandbox with malicious code. Recently published exploit code could serve as the basis for this.
With the vm2 library, developers run untrusted code in isolation on a Node.js server. The vm2 sandbox is widely used with millions of monthly downloads from the NPM repository.
Escape into host system
Die „criticalThe vulnerability (CVE-2023-29017) is rated with the highest possible CVSS score of 10 out of 10. As indicated by a warning messageoccurs when processing Hoste objects in the context of the function Error.prepareStackTrace to bugs, allowing attackers to break out of the sandbox. They could then run their own code on the host system, completely compromising the computer.
The developers state that the gap in the vm2-Version 3.9.15 to have closed. All previous releases are supposed to be vulnerable.
(of the)
