The developers of the vm2 JavaScript sandbox have released a patch to fix a critical vulnerability that can be used to bypass security measures and execute arbitrary shellcode. Researchers from the Korea Advanced Institute of Technology (KAIST) discovered the issue on April 6, 2023, which was tagged CVE-2023-29017 and scored a maximum of 10 out of 10 on the CVSS Vulnerability Rating Scale. The bug was associated with incorrect error handling in asynchronous functions, and using it could lead to an escape from the sandbox and remote code execution on the host.
Vm2 is a popular JavaScript sandbox that gets over 16 million downloads from NPM every month. It is designed to run untrusted code in an isolated context on Node.js servers, allowing partial code execution while preventing unauthorized access to system resources or external data.
After the release of the patch, KAIST specialists published two PoC exploits for CVE-2023-29017, which create a new file named “flag” in the host system, proving that sandbox protection can be bypassed and commands to create arbitrary files on the host can be executed.