• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
researchers detail critical rce flaw reported in popular vm2 javascript

Researchers Detail Critical RCE Flaw Reported in Popular vm2 JavaScript Sandbox

You are here: Home / General Cyber Security News / Researchers Detail Critical RCE Flaw Reported in Popular vm2 JavaScript Sandbox
October 11, 2022

A now-patched security flaw in the vm2 JavaScript sandbox module could be abused by a remote adversary to split out of security obstacles and conduct arbitrary functions on the underlying machine.

“A danger actor can bypass the sandbox protections to acquire remote code execution rights on the host operating the sandbox,” GitHub explained in an advisory posted on September 28, 2022.

CyberSecurity

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


The issue, tracked as CVE-2022-36067 and codenamed Sandbreak, carries a maximum severity ranking of 10 on the CVSS vulnerability scoring system. It has been tackled in version 3.9.11 launched on August 28, 2022.

vm2 is a well-known Node library that’s utilized to operate untrusted code with allowlisted designed-in modules. It can be also 1 of the most widely downloaded program, accounting for just about 3.5 million downloads per week.

vm2 JavaScript Sandbox

The shortcoming is rooted in the error system in Node.js to escape the sandbox, in accordance to software security company Oxeye, which uncovered the flaw.

This signifies that effective exploitation of CVE-2022-36067 could permit an attacker to bypass the vm2 sandbox environment and operate shell instructions on the procedure hosting the sandbox.

CyberSecurity

In light-weight of the critical character of the vulnerability, end users are proposed to update to the newest version as quickly as possible to mitigate attainable threats.

“Sandboxes serve various functions in modern purposes, these types of as examining attached data files in email servers, delivering an more security layer in web browsers, or isolating actively operating apps in sure running systems,” Oxeye reported.

“Supplied the nature of the use conditions for sandboxes, it is really clear that the vm2 vulnerability can have dire outcomes for purposes that use vm2 without the need of patching.”

Uncovered this report interesting? Stick to THN on Fb, Twitter  and LinkedIn to read through extra exclusive material we write-up.


Some parts of this post are sourced from:
thehackernews.com

Previous Post: «Cyber Security News #ISC2Congress: Cybersecurity Pros Must Prepare for Emerging Deepfake Threats
Next Post: Toyota discovers five-year-old email leak, customers at risk of phishing attacks toyota discovers five year old email leak, customers at risk of phishing»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month
  • Ransomware Gangs Exploit Unpatched SimpleHelp Flaws to Target Victims with Double Extortion
  • CTEM is the New SOC: Shifting from Monitoring Alerts to Measuring Risk
  • Apple Zero-Click Flaw in Messages Exploited to Spy on Journalists Using Paragon Spyware
  • WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network
  • New TokenBreak Attack Bypasses AI Moderation with Single-Character Text Changes
  • AI Agents Run on Secret Accounts — Learn How to Secure Them in This Webinar
  • Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Interaction
  • Non-Human Identities: How to Address the Expanding Security Risk
  • ConnectWise to Rotate ScreenConnect Code Signing Certificates Due to Security Risks

Copyright © TheCyberSecurity.News, All Rights Reserved.