virus logo Web Application Security

vm2.Sandbox.Remote.Code.Execution

description-logoDescription

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.

description-logoOutbreak Alert

vm2 is a sandbox solution that can run untrusted code with whitelisted Node's built-in modules. Exploiting the flaws, threat actors can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.

View the full Outbreak Alert Report

affected-products-logoAffected Products

In versions prior to version 3.9.11

Impact logoImpact

A threat actor who exploits this vulnerability will be able to bypass the vm2 sandbox environment and run shell commands on the machine hosting the sandbox.

recomended-action-logoRecommended Actions

Apply the most recent upgrade or patch from the vendor.
https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrq

Version Updates

Date Version Detail
2023-04-28 0.00347
2022-10-19 0.00331

CVE References

CVE-2022-36067 CVE-2023-29017 CVE-2023-29199 CVE-2023-30547
ID 1090501592
Created Oct 20, 2022
Updated Apr 30, 2023
Outbreak Alert VM2 Sandbox Escape
Risk black-background-circle-icon black-background-circle-icon black-background-circle-icon black-background-circle-icon lightgray-background-circle-icon
Default Action pass
Active
Affected OS All
Affected App VM2
Engine Version 5.0.1 or later