“A risk actor can bypass the sandbox protections to achieve distant code execution rights on the host operating the sandbox,” GitHub said in an advisory revealed on September 28, 2022.
The problem, tracked as CVE-2022-36067 and codenamed Sandbreak, carries a most severity ranking of 10 on the CVSS vulnerability scoring system. It has been addressed in version 3.9.11 launched on August 28, 2022.
vm2 is a popular Node library that is used to run untrusted code with allowlisted built-in modules. It is also one of the crucial extensively downloaded software program, accounting for almost 3.5 million downloads per week.
The shortcoming is rooted within the error mechanism in Node.js to flee the sandbox, in accordance with software safety agency Oxeye, which discovered the flaw.
Because of this profitable exploitation of CVE-2022-36067 might allow an attacker to bypass the vm2 sandbox surroundings and run shell instructions on the system internet hosting the sandbox.
In mild of the essential nature of the vulnerability, customers are really useful to replace to the most recent model as quickly as potential to mitigate potential threats.
“Sandboxes serve completely different functions in fashionable functions, corresponding to inspecting hooked up recordsdata in e-mail servers, offering a further safety layer in internet browsers, or isolating actively operating functions in sure working techniques,” Oxeye mentioned.
“Given the character of the use instances for sandboxes, it is clear that the vm2 vulnerability can have dire penalties for functions that use vm2 with out patching.”