Sandbreak – A Critical Remote Code Execution Bug Found in Widely Used vm2 JavaScript Sandbox

In the JavaScript sandbox library vm2, the cybersecurity analysts at Oxeye research team have recently found a severe RCE flaw dubbed, “Sandbreak.”

Through the NPM package repository, the vm2 sandbox library achieves a total of 16 million downloads each month since it is one of the most popular JavaScript sandboxes.

CVE-2022-36067 is the CVE ID that has been assigned to the vm2 vulnerability. As a result, the CVSS has assigned a severity score of 10.0 to this vulnerability, which is the highest score possible.

An attacker can circumvent the vm2 environment by exploiting the CVE-2022-36067 vulnerability. After the successful exploitation of this vulnerability, the attacker is able to run shell commands on the system of the victim running within a sandboxed environment.

An error that occurs in VM2 can be customized in order to generate an object called a “CallSite”, which can be used to customize the call stack.

Due to this, it is possible to execute commands and access the global objects of Node.js outside of the sandbox by creating these objects.

Oxeye’s researchers found a way to bypass the mitigation mechanism used by the library’s authors, which served as a means of limiting the possibility of this happening in the past. While to achieve this, the “prepareStackTrace” method can be customized in order to perform this action.

Recommendation

VM2 was notified about this critical issue a couple of days after Oxeye discovered it on August 16, 2022. A version of 3.9.11, which addresses this issue, was released on August 28, 2022, by the authors of the VM2 library.

Applications that make use of the Sandbox without any patches might face alarming consequences as a result of the exploitation of CVE-2022-36067.

In response to this, cybersecurity experts have strongly recommended that users should immediately install version 3.9.11 of the software, in order to protect themselves.