SOCRadar® Cyber Intelligence Inc. | Critical Vulnerability in vm2 JavaScript Sandbox Library: Exploit Code Available


Apr 10, 2023
3 Mins Read

Critical Vulnerability in vm2 JavaScript Sandbox Library: Exploit Code Available

[April 19, 2023] Update: Added subheading: “Patches Released for New Vulnerabilities: CVE-2023-29199 and CVE-2023-30547.”

The vm2 library’s author recently released a patch for a critical vulnerability that affects all previous versions. The vulnerability, tracked as CVE-2023-29017has the CVSS score of 9.8, and threat actors could use it to escape the sandbox and execute arbitrary code.

There is now an exploit code available for the CVE-2023-29017 vulnerability in the vm2 JavaScript sandbox module.

vm2 is a well-known JavaScript sandbox library that is used by software, including IDEs, code editors, and various security tools. It allows partial code execution on isolated Node.js servers while securing system resources and external data from unauthorized access.

The vm2 library has over 4 million weekly downloads on NPM.
The vm2 library has over 4 million weekly downloads on NPM.

What is the Impact of CVE-2023-29017?

The CVE-2023-29017 vulnerability exists because the vm2 library improperly handles the host objects passed to the ‘Error.prepareStackTrace‘ function when an asynchronous error occurs. Successful exploitation of CVE-2023-29017 could enable bypassing the sandbox and gaining remote code execution on the host that runs the sandbox.

The problem affects all versions of vm2 prior to version 3.9.15, and the issue has been resolved with the 3.9.15 version of the library. Unfortunately, there is no workaround for this problem.

Seongil Wi, a Ph.D. student at KAIST, has created two versions of a proof-of-concept exploit for CVE-2023-29017. These exploits bypass the sandbox protections and enable creation of an empty file called “flag” on the host system.

According to the security advisory, an attacker can bypass the protective measures of vm2’s sandbox, which can lead to the execution of remote code on the host system. 

Patches Released for New Vulnerabilities: CVE-2023-29199 and CVE-2023-30547

New updates have been released for the vm2 JavaScript library to fix two serious vulnerabilities that could be used to bypass the sandbox protections and gain remote code execution.

These vulnerabilities are labeled CVE-2023-29199 andCVE-2023-30547 and have a critical CVSS score of 9.8. An attacker could exploit these vulnerabilities to raise an unsanitized host exception and potentially run harmful code in the host context by escaping the sandbox.

The updates to address these vulnerabilities are available in versions 3.9.16 and 3.9.17. SeungHyun Lee, a security researcher, reported the two vulnerabilities and published proof-of-concept (PoC) exploits on GitHub.

Stay Proactive and Informed with SOCRadar

SOCRadar is a comprehensive threat intelligence platform that can help organizations stay updated on the latest vulnerabilities and risks. The platform collects information on all known vulnerabilities and presents it in an actionable format, using alarms to make it easy to prioritize actions and stay informed of potential threats. 

Company Vulnerabilities on SOCRadar EASM

SOCRadar’s Attack Surface Management service provides real-time tracking of vulnerabilities in your organization’s digital footprint, allowing security teams to proactively address critical vulnerabilities by leveraging contextual intelligence.