vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host · CVE-2022-36067 · GitHub Advisory Database · GitHub

vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host

Critical severity GitHub Reviewed Published Aug 30, 2022 in patriksimek/vm2 • Updated Jan 30, 2023

Package

vm2 (npm)

Affected versions

< 3.9.11

Patched versions

3.9.11

Description

Impact

A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.

Patches

This vulnerability was patched in the release of version 3.9.11 of vm2

Workarounds

None.

References

Github Issue - patriksimek/vm2#467
The file that was patched - https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71
The commit with the patch - patriksimek/vm2@d9a7f3c#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164

For more information

If you have any questions or comments about this advisory:

Open an issue in VM2

References

patriksimek published to patriksimek/vm2

Aug 30, 2022

Published by the National Vulnerability Database

Sep 6, 2022

Published to the GitHub Advisory Database Sep 28, 2022

Reviewed Sep 28, 2022

Last updated Jan 30, 2023

Severity

Critical

10.0

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H