- Oxeye announced that they have discovered a new vm2 vulnerability with a current CVSS score is 10, which is the highest possible.
- The vulnerability requires R&D leaders, AppSec engineers, and security professionals to ensure they immediately patch it.
- Oxeye reported the incident to the developers and it was patched in version 3.9.11 shortly after the report.
Cloud-native application security solution provider, Oxeye announced that they have discovered a vm2 vulnerability. The vulnerability, tracked as CVE-2022-36067, has received the maximum CVSS score possible, 10.0. The vulnerability, also known as SandBreak, requires R&D leaders, AppSec engineers, and security professionals to ensure they immediately patch the vm2 sandbox if they use it in their applications.
CVSS score of 10.0
The company stated that vm2 is a popular Javascript sandbox library that provides a testing framework capable of running untrusted code synchronously in a single process. It allows full control over the sandbox’s console output with the ability to limit access to select built-in modules or securely call methods and exchange data between sandboxes.
Oxeye announced a critical sandbox escape vulnerability that leads to remote code execution in vm2. It is reported to the developers and patched in version 3.9.11. The vulnerability was given a CVSS score of 10.0. Once exploited, it allows attackers to bypass the vm2 sandbox environment and run shell commands on the machine hosting it. Given the nature of the use cases for sandboxes, it’s clear that the vm2 vulnerability can have dire consequences for applications that use vm2 without patching. Thus, it has the maximum CVSS score of 10.00. Gal Goldshtein, Senior Security Researcher at Oxeye said,
« Our usual approach when evaluating a given software’s security is first to analyze the previous security lapses discovered in the same software. This helps us better grasp the available attack surface and may also lead to low-hanging bugs stemming from incomplete fixes. It also helps us come up with techniques to bypass the implemented fixes. While reviewing the previous bugs disclosed to the vm2 maintainers, we noticed an interesting technique: the bug reporter abused the error mechanism in Node.js to escape the sandbox. »