"Critical vm2 Sandbox Escape Flaw Uncovered, Patch ASAP! (CVE-2022-36067)"

Oxeye researchers discovered a critical vm2 vulnerability (CVE-2022-36067) with a CVSS score of 10.0. This new vulnerability, called SandBreak, requires R&D leaders, AppSec engineers, and security professionals to immediately patch the vm2 sandbox if it is used in their applications. With approximately 17.5 million monthly downloads, vm2 is the most popular JavaScript sandbox library. It offers a widely used software testing framework that can run untrusted code synchronously in a single process. It is one of the most popular testing environments, with millions of developers using it because it provides complete control over the sandbox's console output, as well as the ability to limit access to specific built-in modules or securely call methods and exchange data between sandboxes. The Oxeye research team discovered a critical sandbox escape vulnerability in vm2 that allows Remote Code Execution (RCE). The vulnerability was quickly disclosed to the project owners and patched in version 3.9.11. For this vulnerability, GitHub issued advisory CVE-2022-36067 with a CVSS score of 10, alerting users. A threat actor who exploits this vulnerability will be able to run shell commands on the machine hosting it, bypassing the vm2 sandbox environment. Sandboxes are used in a variety of modern applications, such as examining attached files in email servers, adding an extra layer of security to web browsers, and isolating actively running applications in certain operating systems. This article continues to discuss the potential exploitation and impact of the vm2 sandbox flaw.

Help Net Security reports "Critical VM2 Sandbox Escape Flaw Uncovered, Patch ASAP! (CVE-2022-36067)"