A safety researcher has launched, one more sandbox escape proof of idea (PoC) exploit that makes it attainable to execute unsafe code on a number working the VM2 sandbox.

VM2 is a specialised JavaScript sandbox utilized by a broad vary of software program instruments for working and testing untrusted code in an remoted surroundings, stopping the code from accessing the host’s system assets or exterior information.

The library is often present in built-in improvement environments (IDEs), code editors, safety instruments, and varied pen-testing frameworks. It counts a number of million downloads per 30 days within the NPM package deal repository.

VM2 has had a number of essential sandbox escape disclosures over the previous two weeks found by totally different safety researchers, enabling attackers to run malicious code exterior the constraints of the sandboxed surroundings.

The primary sandbox escape flaw tracked as CVE-2023-29017 was found by Seongil Wi two weeks in the past, with the most recent two (CVE-2023-29199 and CVE-2023-30547) found by SeungHyun Lee.

Researchers from Oxeye discovered another sandbox escape tracked as CVE-2022-36067 in October 2022.

Sandbox escape flaw

The newest vulnerability is tracked as CVE-2023-30547 (CVSS rating: 9.8 – essential) and is an exception sanitization flaw permitting an attacker to lift an unsanitized host exception inside “handleException().”

This perform is supposed to sanitize exceptions caught inside the sandbox to forestall leaking details about the host. Nonetheless, if an attacker units up a customized “getPrototypeOf()” proxy handler that throws an unsanitized host exception, the “handleException” perform will fail to sanitize it.

This helps the attacker “entry the host Perform,” aka escape the sandbox restrictions and carry out arbitrary code execution within the host context, permitting for probably vital assaults.

The flaw was found by safety analyst SeungHyun Lee of the Korea Superior Institute of Science and Expertise (KAIST), who discovered that it impacts all library variations from 3.9.16 and earlier.

The researcher has additionally printed a proof of idea (PoC) exploit on his GitHub repository to reveal the feasibility of the assault, which creates a file named “pwned” on the host.

All customers, package deal maintainers, and software program builders whose initiatives incorporate the VM2 library are really helpful to improve to model 3.9.17, which addresses the safety flaw, as quickly as attainable.

Sadly, provide chain complexities affecting most open-source software program initiatives would possibly delay the improve of VM2 throughout the impacted instruments. Coupled with the general public availability of a PoC, many customers could also be left uncovered to dangers for an prolonged period.

It’s unclear if the 2 sandbox escape flaws are fully new vulnerabilities or if they’re attributable to incomplete patches for the unique CVE-2023-29017 bug found by Wi.

BleepingComputer has requested Wi and Lee questions on these bugs and can replace the story if we obtain a response.