Critical Remote Code Execution Vulnerability Discovered in vm2 Sandbox Library


A critical flaw in vm2 could allow an attacker to escape the sandbox and execute arbitrary code on the host. Vm2, a JavaScript sandbox library that receives more than 16 million downloads each month, supports the synchronous execution of untrusted code within a single process.

Security researchers with Oxeye found CVE-2022-36067 in August 2022, a critical vulnerability in vm2 with a CVSS score of 10 that should alert all vm2 users due to its potential for wide-ranging effects.

The Node.js feature that allows vm2 maintainers to alter the call stack of errors in the software testing framework is the primary culprit in the vulnerability, which Oxeye’s researchers have dubbed SandBreak.

Read More: Critical Remote Code Execution Vulnerability Found in vm2 Sandbox Library

For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.