Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

Researchers Detail Critical RCE Flaw Reported in Popular vm2 JavaScript Sandbox

October 11, 2022
vm2 JavaScript Sandbox

A now-patched safety and security imperfection in the vm2 JavaScript sandbox component might be abused by a remote foe to burst out of safety and security obstacles as well as do approximate procedures on the underlying maker.

” A risk star can bypass the sandbox defenses to acquire remote code implementation civil liberties on the host running the sandbox,” GitHub said in an advising released on September 28, 2022.


The problem, tracked as CVE-2022-36067 as well as codenamed Sandbreak, brings an optimum extent ranking of 10 on the CVSS susceptability racking up system. It has actually been dealt with in version 3.9.11 launched on August 28, 2022.

vm2 is a popular Node library that’s made use of to run untrusted code with allowlisted integrated components. It’s additionally among one of the most extensively downloaded and install software program, representing virtually 3.5 million downloads each week.

vm2 JavaScript Sandbox

The shortcoming is rooted in the mistake device in Node.js to run away the sandbox, according to application safety and security company Oxeye, which discovered the flaw.

This indicates that effective exploitation of CVE-2022-36067 might allow an assaulter to bypass the vm2 sandbox setting as well as run covering commands on the system organizing the sandbox.


Due to the essential nature of the susceptability, individuals are suggested to upgrade to the most up to date variation immediately to alleviate feasible hazards.

” Sandboxes offer various objectives in contemporary applications, such as checking out affixed data in e-mail web servers, supplying an extra safety and security layer in internet internet browsers, or separating proactively running applications in particular os,” Oxeye stated.

” Provided the nature of the usage instances for sandboxes, it’s clear that the vm2 susceptability can have alarming repercussions for applications that make use of vm2 without patching.”

Posted in SecurityTags:
Write a comment