Researchers are caution of a important faraway code execution flaw in ‘vm2’, a JavaScript sandbox library downloaded over 16 million occasions per thirty days by the use of the NPM bundle repository.
The vm2 vulnerability is tracked as CVE-2022-36067 and gained a severity ranking of 10.0, the utmost rating within the CVSS device, as it will permit attackers to flee the sandbox atmosphere and run instructions on a number device.
Sandboxes are supposed to be an remoted atmosphere this is walled off from the remainder of the running device. On the other hand, as builders frequently use sandboxes to run or take a look at doubtlessly unsafe code, the power to “get away” from this confined atmosphere and execute code at the host is a large safety downside.
Escaping the sandbox
Safety researchers at Oxeye have discovered a artful technique to customise the decision stack of an error that happens in VM2 to generate “CallSite” gadgets created out of doors the sandbox and use them to get right of entry to Node’s international gadgets and execute instructions.
Whilst the library’s authors tried to mitigate this risk prior to now, Oxeye’s researchers discovered a technique to bypass this mitigation mechanism through the use of a customized implementation of the “prepareStackTrace” approach.
“The reporter’s POC bypassed the common sense above since vm2 overlooked wrapping particular strategies associated with the “WeakMap” JavaScript integrated kind,” the researchers provide an explanation for of their document.
“This allowed the attacker to supply their very own implementation of “prepareStackTrace,” then cause an error, and get away the sandbox.”

(Oxeye)
The analysts discovered that it’s additionally conceivable to override the worldwide Error object with a customized object that implements the “prepareStackTrace” serve as, once more gaining access to “CallSite” gadgets created out of doors the sandbox and operating instructions within the present procedure.

Replace once conceivable
Oxeye’s analysis crew found out this important downside on August 16, 2022, and reported it to the VM2 crew a few days later, who showed that they had introduced an investigation.
In the end, the authors of the preferred library launched model 3.9.11 on August 28, 2022, which addressed the sandbox get away and code execution issues.
Tool builders are prompt to replace to the newest VM2 model and substitute older releases of their initiatives once conceivable.
For finish customers, it is very important notice that it will take a little time ahead of virtualization device gear depending on VM2 practice the to be had safety replace.
As we noticed with Log4Shell, a important safety downside in a extensively deployed open-source library would possibly persist for prolonged sessions with out the impacted customers even figuring out they’re prone because of the obscurity within the provide chain.
If you happen to use a sandbox answer, take a look at if it is dependent upon VM2 and whether or not it is the use of the newest model.