A critical flaw in the VM2 JavaScript sandbox has been discovered, allowing attackers to run unsafe code outside the sandbox environment. The vulnerability, tracked as CVE-2023-30547, is the latest in a series of sandbox escape flaws to be found in VM2 over the past few weeks.
A security researcher discovered the flaw, which allows attackers to raise an unsanitized host exception within the “handleException()” function, enabling them to escape the sandbox’s restrictions and execute arbitrary code in the host context. The flaw affects all library versions from 3.9.16 and earlier.
VM2 is a widely used JavaScript sandbox that is frequently found in integrated development environments, code editors, security tools, and pen-testing frameworks, with several million downloads per month in the NPM package repository.
The previous sandbox escape flaws in VM2 were discovered by different researchers and disclosed over the past two weeks, with the first tracked as CVE-2023-29017 by Seongil Wi, and the latest two (CVE-2023-29199 and CVE-2023-30547) by SeungHyun Lee.
All users, package maintainers, and software developers whose projects incorporate the VM2 library are advised to upgrade to version 3.9.17, which addresses the security flaw. However, the complexities of open-source software supply chains may delay upgrades across impacted tools.
Moreover, the public availability of a proof-of-concept exploit may expose users to risks for an extended duration. It is unclear if the two sandbox escape flaws are entirely new vulnerabilities or if they are caused by incomplete patches for the original CVE-2023-29017 bug. BleepingComputer has reached out to the researchers and will update the story if they receive a response.
