The maintainers of the vm2 JavaScript sandbox module have transported a patch to handle a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcode.
The flaw, which influences all variations, which includes and prior to 3.9.14, was claimed by researchers from South Korea-based KAIST WSP Lab on April 6, 2023, prompting vm2 to release a repair with edition 3.9.15 on Friday.
“A risk actor can bypass the sandbox protections to gain remote code execution legal rights on the host jogging the sandbox,” vm2 disclosed in an advisory.
The vulnerability has been assigned the recognized CVE-2023-29017 and is rated 9.8 on the CVSS scoring technique. The issue stems from the point that it does not effectively manage errors that occur in asynchronous functions.
vm2 is a well-known library that is applied to run untrusted code in an isolated environment on Node.js. It has practically four million weekly downloads.
Future WEBINARLearn to Secure the Id Perimeter – Demonstrated Tactics
Boost your company security with our future qualified-led cybersecurity webinar: Examine Identification Perimeter procedures!
Will not Overlook Out – Save Your Seat!
KAIST security researcher Seongil Wi has also manufactured obtainable two unique variants of a proof-of-thought (PoC) exploit for CVE-2023-29017 that get around the sandbox protections and enable the development of an vacant file named “flag” on the host.
The disclosure comes just about 6 months just after vm2 fixed a further critical bug (CVE-2022-36067, CVSS score: 10) that could have been weaponized to carry out arbitrary functions on the fundamental equipment.
Identified this report attention-grabbing? Follow us on Twitter and LinkedIn to study additional special content material we publish.
Some parts of this article are sourced from:
thehackernews.com