Tuesday, October 11, 2022
HomeCyber SecurityResearchers Element Essential RCE Flaw Reported in Widespread vm2 JavaScript Sandbox

Researchers Element Essential RCE Flaw Reported in Widespread vm2 JavaScript Sandbox


A now-patched safety flaw within the vm2 JavaScript sandbox module might be abused by a distant adversary to interrupt out of safety boundaries and carry out arbitrary operations on the underlying machine.

“A risk actor can bypass the sandbox protections to realize distant code execution rights on the host operating the sandbox,” GitHub mentioned in an advisory revealed on September 28, 2022.

CyberSecurity

The problem, tracked as CVE-2022-36067 and codenamed Sandbreak, carries a most severity ranking of 10 on the CVSS vulnerability scoring system. It has been addressed in model 3.9.11 launched on August 28, 2022.

vm2 is a standard Node library that is used to run untrusted code with allowlisted built-in modules. It is also one of the vital extensively downloaded software program, accounting for almost 3.5 million downloads per week.

vm2 JavaScript Sandbox

The shortcoming is rooted within the error mechanism in Node.js to flee the sandbox, in line with software safety agency Oxeye, which found the flaw.

Which means profitable exploitation of CVE-2022-36067 may allow an attacker to bypass the vm2 sandbox surroundings and run shell instructions on the system internet hosting the sandbox.

CyberSecurity

In gentle of the important nature of the vulnerability, customers are really helpful to replace to the most recent model as quickly as attainable to mitigate attainable threats.

“Sandboxes serve completely different functions in fashionable functions, equivalent to inspecting connected recordsdata in electronic mail servers, offering an extra safety layer in net browsers, or isolating actively operating functions in sure working techniques,” Oxeye mentioned.

“Given the character of the use instances for sandboxes, it is clear that the vm2 vulnerability can have dire penalties for functions that use vm2 with out patching.”



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments