Home > Cyber News > CVE-2023-29199: vm2 JavaScript Library Contains Severe Vulnerabilities
CYBER NEWS

CVE-2023-29199: vm2 JavaScript Library Contains Severe Vulnerabilities

by   |  Last Update:  |  0 Comments  

The vm2 JavaScript library has just released two new patches to mitigate two critical vulnerabilities, CVE-2023-29199 and CVE-2023-30547, both rated 9.8 on the CVSS scoring system. Versions 3.9.16 and 3.9.17, respectively, contain the fixes for the bugs which enable an intruder to escape the sandbox and execute code in the host context.

SeungHyun Lee, the security researcher responsible for discovering and reporting the flaws, has also published PoC exploits. This comes not long after another sandbox escape flaw (CVE-2023-29017, CVSS 9.8) was addressed. Oxeye researchers identified a particularly severe remote code execution vulnerability (CVE-2022-36067, CVSS score: 9.8) in vm2 last December, codenamed Sandbreak.

CVE-2023-29199- vm2 JavaScript Library Contains Severe Vulnerabilities

CVE-2023-29199

vm2 versions up to 3.9.15 are vulnerable to an exploit which allows threat actors to bypass the `handleException()` exception sanitization logic. This bypass permits the leakage of unsanitized host exceptions which then provide the means to escape the sandbox and execute code in the host context. The issue was rectified in version 3.9.16.

CVE-2023-30547

The version `3.9.17` of `vm2` includes a patch for a vulnerability in exception sanitization which was present in all prior versions up to `3.9.16`. This vulnerability allowed attackers to utilize an unsanitized host exception inside `handleException()` to escape the sandbox and execute arbitrary code in the host context. As of now, no alternate solutions exist, so users are strongly urged to upgrade to the newest version.




What Is vm2 JavaScript Library?

vm2 is a popular JavaScript sandbox library utilized by different programs, like IDEs, code editors, and security tools, which lets code partially run on isolated Node.js servers while protecting system resources and external data from unauthorized access.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Related posts:
  1. Adobe Patches 112 Vulnerabilities in Latest Patch Package (CVE-2018-5007) Adobe has released the latest patch package that addresses a...
  2. Spotify’s Backstage Vulnerable to Critical Remote Code Execution A severe security vulnerability in Backstage, a CNCF-incubated, open-source project...
  3. CISA Warns of CVE-2023-1133, Other Severe Flaws in Industrial Software On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA)...
  4. January 2023 Patch Tuesday Fixes Actively Exploited CVE-2023-21674 The first Patch Tuesday fixes shipped by Microsoft for 2023...
  5. Gutenberg Template Library WordPress Plugin Contains Two Flaws (CVE-2021-38312) Two security vulnerabilities were discovered in the Gutenberg Template Library...
  6. VMware vRealize Log Contains Critical Vulnerabilities (CVE-2022-31706) VMware vRealize Log is vulnerable to several critical security vulnerabilities...
  7. Apple Fixes CVE-2023-28206, CVE-2023-28205 Zero-Days Apple has released emergency updates to address two actively exploited...
  8. Google’s Latest Android Security Update Fixes 47 Vulnerabilities Google has delivered their last and probably final Android update...

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree