Multiple critical vulnerabilities have been detected in the open-source vm2 Node.js library, which is used to run JavaScript code in a secure, isolated environment.

These vulnerabilities could allow attackers to escape the sandbox environment provided by vm2 and execute arbitrary code or commands on the host server. In other words, malicious or untrusted code that is expected to be isolated by vm2 can, in some cases, bypass this protection and gain access to the underlying system.

The majority of the disclosed vulnerabilities are rated at a critical level of CVSS 9.8 and above. Some vulnerabilities even have the maximum risk score of CVSS 10.0. This poses a severe security risk for systems utilizing vm2.

The vulnerabilities enable sandbox escapes through various techniques, including lookupGetter, inspect, SuppressedError, the species property of Promise objects, prototype pollution, and NodeVM allowlist bypass.

Patrik Simek, the vm2 maintainer, has released patches for these vulnerabilities across different versions. For optimal protection, it is recommended that users upgrade vm2 to version 3.11.2 or later.These security flaws once again highlight the difficulty of completely isolating untrusted code in JavaScript-based sandbox solutions.

Recommendation: Developers and organizations using vm2 should check their dependencies, verify if they are using affected versions, and update to the latest version as soon as possible.

Some of the measures we need to take to protect against these types of attacks include:

• Rapid Patch Management and Version Control

• SCA (Software Composition Analysis) Integration

• Defense in Depth and Multi-Layered Isolation

• Principle of Least Privilege

• Network and Outbound Traffic Restrictions

For a quick assessment, you can contact us at info@zerosecond.ae.