CVE-2022-36067 is the CVE ID that has been assigned to the vm2 vulnerability. As a result, the CVSS has assigned a severity score of 10.0 to this vulnerability, which is the highest score possible.
An attacker can circumvent the vm2 environment by exploiting the CVE-2022-36067 vulnerability. After the successful exploitation of this vulnerability, the attacker is able to run shell commands on the system of the victim running within a sandboxed environment.
An error that occurs in VM2 can be customized in order to generate an object called a “CallSite”, which can be used to customize the call stack.
Due to this, it is possible to execute commands and access the global objects of Node.js outside of the sandbox by creating these objects.
Oxeye’s researchers found a way to bypass the mitigation mechanism used by the library’s authors, which served as a means of limiting the possibility of this happening in the past. While to achieve this, the “prepareStackTrace” method can be customized in order to perform this action.
VM2 was notified about this critical issue a couple of days after Oxeye discovered it on August 16, 2022. A version of 3.9.11, which addresses this issue, was released on August 28, 2022, by the authors of the VM2 library.
Applications that make use of the Sandbox without any patches might face alarming consequences as a result of the exploitation of CVE-2022-36067.
In response to this, cybersecurity experts have strongly recommended that users should immediately install version 3.9.11 of the software, in order to protect themselves.