Critical VM2 flaw lets attackers run code outside the sandbox:
Researchers are warning of a critical remote code execution flaw in 'vm2', a JavaScript sandbox library downloaded over 16 million times per month via the NPM package repository.
The vm2 vulnerability is tracked as CVE-2022-36067 and received a severity rating of 10.0, the maximum score in the CVSS system, as it could allow attackers to escape the sandbox environment and run commands on a host system.
Sandboxes are meant to be an isolated environment that is walled off from the rest of the operating system. However, as developers commonly use sandboxes to run or test potentially unsafe code, the ability to "escape" from this confined environment and execute code on the host is a massive security problem.
[...] "The reporter's POC bypassed the logic above since vm2 missed wrapping specific methods related to the "WeakMap" JavaScript built-in type," the researchers explain in their report.
"This allowed the attacker to provide their own implementation of "prepareStackTrace," then trigger an error, and escape the sandbox."
[...] Software developers are urged to update to the latest VM2 version and replace older releases in their projects as soon as possible.
For end users, it is important to note that it could take a while before virtualization software tools relying on VM2 apply the available security update.
As we saw with Log4Shell, a critical security problem in a widely deployed open-source library may persist for extended periods without the impacted users even knowing they're vulnerable due to the obscurity in the supply chain.
If you use a sandbox solution, check if it relies on VM2 and whether it's using the latest version.
Secure javascript????
(Score: 0, Offtopic) by MIRV888 on Monday October 17 2022, @01:23PM (1 child)
Java just seems like hell in a hand basket .
(Score: 5, Informative) by HiThere on Monday October 17 2022, @05:48PM
You seem to think that Javascript is related to Java. This is a mistake. It's a mistake that was intentionally fostered when they named Javascript. You wouldn't have made it if you thought of the scripting language as ECMAscript.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 3, Informative) by Anonymous Coward on Monday October 17 2022, @01:32PM (1 child)
... you missed at least five question marks.
(Score: 0) by Anonymous Coward on Monday October 17 2022, @05:55PM
The person who modded parent as redundant is probably the same person who has confused java with javascript further up the page.
(Score: 3, Interesting) by darkfeline on Tuesday October 18 2022, @05:21AM
JavaScript. Sandbox. Library. Bonus points: NPM.
You know, my workplace has a casual "Scariest decorations contest". I think I'll print this out and post it on the wall.
Join the SDF Public Access UNIX System today!