The VM2 library, used to securely run untrusted JavaScript code on Node.js servers, has been found to have a critical vulnerability that allows remote code execution. The issue received the maximum severity score of 10.0 and impacts all versions of VM2 from 3.9.14 and older.
The vulnerability was discovered by the research team at Korea Advanced Institute of Science and Technology (KAIST).
A new version of the library, 3.9.15, has been released to fix the issue, but proof-of-concept exploit code has already been released by KAIST Ph.D student Seongil Wi on GitHub, demonstrating the ability to bypass sandbox protections and execute commands to create arbitrary files on the host system.
VM2 is widely used in various JavaScript-related products, including integrated development environments (IDEs), code editors, function-as-a-service (FaaS) solutions, pen-testing frameworks, and security tools, and has more than 16 million monthly downloads via the NPM package repository.
In October 2022, another critical flaw, CVE-2022-36067, was found in VM2, allowing attackers to run commands on the host system, which was swiftly fixed with a new version of the library.
Users of VM2 are advised to update to the latest version of the library to mitigate the risk of exploitation.
This incident highlights the importance of regularly updating software and promptly addressing any security vulnerabilities that are identified, as even seemingly minor vulnerabilities can be exploited by cybercriminals to cause significant damage to organizations and individuals.