Two critical vulnerabilities affecting its JavaScript Sandbox Library are addressed by vm2. Both the vulnerabilities CVE-2023-29199 and CVE-2023-30547 are given a CVSS score of 9.8. Successful exploitation of these vulnerabilities may allow an attacker to perform remote code execution.
Seung Hyun Lee) of KAIST Hacking Lab has discovered the vulnerabilities and released proof-of-concept (PoC) (CVE-2023-29199 and CVE-2023-30547) exploits on GitHub.
vm2 is a widely used JavaScript sandbox with more than 16 million monthly downloads. It can run untrusted code with allowed Node’s built-in modules. Sandboxes are used in modern applications for a variety of functions. The product is used by integrated development environments (IDEs) and code editors, function-as-a-service (FaaS) solutions, pen-testing frameworks, security tools, and various JavaScript-related products. Due to this, the vm2 vulnerability can have severe consequences for apps that use it, given the nature of sandbox use cases.
CVE-2023-29199: vm2 Sandbox Escape Vulnerability
The vulnerability exists in the source code transformer due to the improper handling exception sanitization logic. The vulnerability may allow attackers to bypass handleException() and leak unsanitized host exceptions, which can be used to escape the sandbox and perform remote code execution in the host context.
CVE-2023-30547: vm2 Sandbox Escape Vulnerability
The vulnerability exists in the exception sanitization logic. The vulnerability allows attackers to raise an unsanitized host exception inside handleException() and use it to escape the sandbox and execute remote code in the host context.
Affected versions
CVE-2023-29199 affects vm2 NPM package versions before 3.9.16, and CVE-2023-30547 affects vm2 NPM package versions before 3.9.17.
Mitigation
For CVE-2023-29199, customers are recommended to upgrade to version 3.9.16 or later.
For CVE-2023-30547, customers are recommended to upgrade to version 3.9.17 or later.
For more information, please refer to GitHub Advisory (GHSA-ch3r-j5x3-6q2m ) and GitHub Advisory (GHSA-xj72-wvfv-8985).
Qualys Detection
Qualys customers can scan their devices with QIDs 378431 and 378432 to detect vulnerable assets.
The QIDs check for vulnerable versions of the vm2 NPM package installed globally. The QIDs run the npm list -g –silent command and check the file /usr/local/lib/node_modules/vm2/package.json to look for vulnerable versions of vm2.
Note: NPM packages can be installed anywhere as a developer/production dependency. The QIDs can only detect vm2 packages that are installed globally. These QIDs check for installed packages within the %systemdrive%\Users\Administrator directory for Microsoft Windows.
QID 992796 is currently available via the SCA (Software Composition Analysis) capabilities for Container Security.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://github.com/advisories/GHSA-xj72-wvfv-8985
https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c
https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244
https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m