Proof-of-concept exploit code has been released for a recently disclosed critical vulnerability in the notorious VM2 library, a JavaScript sandbox used by several software programs to securely execute code in a virtualized environment.

The library is designed to run untrusted code in an isolated context on Node.js servers. It allows partial execution of code and prevents unauthorized access to system resources or external data.

VM2 has over 16 million monthly downloads through the NPM package repository and is used by integrated development environments (IDEs) and code editors, function-as-a-service (FaaS) solutions, test frameworks, penetration, security tools and various JavaScript-related Products.

Maximum severity level

Tracked as CVE-2023-29017, the recently patched vulnerability received the maximum severity score of 10.0. It was discovered by the research team of Korea Advanced Institute of Science and Technology (KAIST).

Researchers who discovered that the VM2 library mishandled host objects passed to the ‘Error.prepareStackTrace’ function when an asynchronous error occurred.

Exploiting the security issue can lead to bypassing sandbox protections and achieving remote code execution on the host.

“A malicious actor can bypass sandbox protections to gain remote code execution rights on the host running the sandbox,” reads the security consulting.

The issue affects all versions of VM2 from version 3.9.14 and earlier. THE the problem was resolved with the release of a new version of the library, 3.9.15. There is no workaround available.

Exploit code available

After the release of the new version of VM2 which fixes a critical vulnerability, KAIST PhD student Seongil Wi posted on GitHub in a secret repository two variants of the exploit the code for CVE-2023-29017.

PoCs, in their released form, simply create a new file named “flag” on the host system, proving that VM2’s sandbox protections can be bypassed, allowing the execution of commands to create arbitrary files on the system. host.

In October 2022, VM2 suffered from another critical flaw, CVE-2022-36067, which also allowed attackers to break out of the sandbox environment and execute commands on the host system. This issue was also resolved quickly with the release of a new version of the library.