CVE-2023-29199 : For versions of VM2 up to 3.9.15, there is a flaw in the source code transformer (exception sanitization logic) that enables attackers to circumvent ‘handleException()’ and leak unsanitized host exceptions. These exceptions can then be leveraged to breach the sandbox and execute arbitrary code in host context. Threat actors are capable of getting through the sandbox’s security measures and gaining access to the host where the sandbox is running. Version ‘3.9.16’ of ‘vm2’ was released with a fix for this issue.
CVE-2023-30547: In vm2, a sandbox, whitelisted Node modules can be used to run untrusted programmes. For versions of vm2 up to 3.9.16, there is a flaw in the exception sanitization that enables attackers to raise an unsanitized host exception inside ‘handleException()’ and use it to bypass the sandbox and execute arbitrary code in host context. Version ‘3.9.17’ of ‘vm2’ was released with a fix for this issue. There are no known solutions to this weakness. Users are encouraged to update.
By successfully exploiting the flaws, an attacker might run arbitrary code in the host context and leave the sandbox by raising an unclean host exception.
The maintainers of the vm2 library issued a warning saying that “a threat actor can circumvent the sandbox protections to gain remote code execution rights on the host running the sandbox.”
Security researcher SeungHyun Lee is credited with finding and disclosing the flaws. He has also made proof-of-concept (PoC) exploits available for the two problems in question.
A week ago, vm2 patched another sandbox escape vulnerability (CVE-2023-29017, CVSS score: 9.8) that might allow arbitrary code to be executed on the underlying system.
It’s important to remember that late last year, researchers from Oxeye published details of the Sandbreak vulnerability, a serious remote code execution flaw in vm2 (CVE-2022-36067, CVSS score: 9.8).