The maintainers of the vm2 JavaScript sandbox module have shipped a patch to handle a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcode.
The flaw, which affects all variations, such as and prior to 3.9.14, was documented by scientists from South Korea-primarily based KAIST WSP Lab on April 6, 2023, prompting vm2 to launch a deal with with model 3.9.15 on Friday.
“A menace actor can bypass the sandbox protections to attain distant code execution rights on the host working the sandbox,” vm2 disclosed in an advisory.
![Mullvad VPN Discount](https://thecybersecurity.news/data/2022/05/Mullvad-VPN-245x300.png)
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The vulnerability has been assigned the identified CVE-2023-29017 and is rated 9.8 on the CVSS scoring program. The issue stems from the truth that it does not effectively take care of problems that happen in asynchronous features.
vm2 is a well-liked library that’s made use of to operate untrusted code in an isolated surroundings on Node.js. It has nearly 4 million weekly downloads.
Approaching WEBINARLearn to Protected the Identity Perimeter – Confirmed Methods
Enhance your company security with our impending expert-led cybersecurity webinar: Explore Identification Perimeter tactics!
Don’t Overlook Out – Help you save Your Seat!
KAIST security researcher Seongil Wi has also made readily available two diverse variants of a proof-of-concept (PoC) exploit for CVE-2023-29017 that get all around the sandbox protections and allow for the creation of an empty file named “flag” on the host.
The disclosure will come virtually six months following vm2 settled an additional critical bug (CVE-2022-36067, CVSS score: 10) that could have been weaponized to perform arbitrary functions on the underlying device.
Found this short article intriguing? Observe us on Twitter and LinkedIn to browse much more exceptional content material we put up.
Some areas of this article are sourced from:
thehackernews.com