Critical vm2 Sandbox Bug Allows Host Code Execution (Updated)
Twelve critical vulnerabilities in the vm2 Node.js library allow attackers to escape the sandbox and execute arbitrary code on the host system.
A series of twelve critical vulnerabilities have been disclosed in the vm2 Node.js library, a tool commonly used to execute untrusted JavaScript code within a secure sandbox. These flaws allow attackers to bypass sandbox protections, enabling them to escape the isolated environment and execute arbitrary code on the host system.
The vulnerabilities specifically impact users of the vm2 library, which functions by intercepting and proxying JavaScript objects to prevent sandboxed code from interacting with the host. By exploiting these flaws, an attacker can break out of this containment, potentially leading to full system compromise depending on the privileges of the Node.js process.
Security researchers emphasize the severity of these findings, as they undermine the core security guarantees of the library. Users are urged to review their dependencies and apply updates or migrate to more secure alternatives if available, as the library's sandbox model has been proven insufficient against these specific attack vectors. The Hacker News