A security researcher has discovered a critical vulnerability in VM2, a specialized isolated JavaScript software environment used to test unreliable code in an isolated environment. The researcher released POC-EX-EXCLOST EXCENCE (SANDBOX Escape), which allows execution of malicious code on the host on which VM2 is launched. Over the last few weeks, various critical vulnerabilities in VM2 have been discovered, enabling attackers to launch malicious code outside the isolated environment.
One of the vulnerabilities, cve-2023-30547 (CVSS: 9.8), represents the vulnerability of exclusion purification (Exception Sanitization), which allows the attacker to cause an unverified exclusion, using “Handleexception ()” functions. The error, which affects almost 4 million packages weekly and is integrated into more than 700 packets, can cause damage, including DOS attacks that allow circumventing the restrictions of the “sandbox” and creating an arbitrary code in the host’s context.
A security analyst, Son Hyun Lee, from the Korean Advanced Institute of Science and Technology discovered the vulnerability. He indicated that the deficiency affects all versions of libraries from 3.9.16 and earlier. The researcher also published POC-Exflict to demonstrate an attack that creates a file called “PWNED” on a host.
Users, including software developers whose projects include the VM2 library, are advised to update to version 3.9.17 as soon as possible to eliminate the vulnerability. However, due to the complexity of the supply chains and the impact on most open software projects, updates to VM2 may delay the process, which poses a considerable risk to many users.