A now-patched security flaw in the vm2 JavaScript sandbox module could be abused by a distant adversary to break out of security obstacles and conduct arbitrary operations on the underlying equipment.
“A threat actor can bypass the sandbox protections to achieve distant code execution rights on the host managing the sandbox,” GitHub claimed in an advisory revealed on September 28, 2022.
The issue, tracked as CVE-2022-36067 and codenamed Sandbreak, carries a most severity score of 10 on the CVSS vulnerability scoring procedure. It has been tackled in model 3.9.11 introduced on August 28, 2022.
vm2 is a well known Node library that’s employed to operate untrusted code with allowlisted created-in modules. It’s also a single of the most widely downloaded computer software, accounting for approximately 3.5 million downloads for each 7 days.
The shortcoming is rooted in the mistake system in Node.js to escape the sandbox, according to application security firm Oxeye, which discovered the flaw.
This means that successful exploitation of CVE-2022-36067 could allow an attacker to bypass the vm2 sandbox natural environment and operate shell commands on the method hosting the sandbox.
In light-weight of the critical nature of the vulnerability, customers are advised to update to the most current model as shortly as attainable to mitigate doable threats.
“Sandboxes serve different purposes in modern day applications, this sort of as analyzing connected files in email servers, supplying an more security layer in web browsers, or isolating actively running programs in particular operating techniques,” Oxeye explained.
“Provided the character of the use scenarios for sandboxes, it’s obvious that the vm2 vulnerability can have dire implications for apps that use vm2 devoid of patching.”
Found this posting intriguing? Comply with THN on Facebook, Twitter and LinkedIn to read a lot more exceptional information we publish.
Some parts of this article are sourced from:
thehackernews.com