October 13, 2022

VM2 Patched A Critical Vulnerability Allows Attackers to Run Code Outside the Sandbox

VM2 released a new version that addressed the Critical sandbox escape and remote code execution (RCE) vulnerability affecting the popular JavaScript sandbox library.

The Vulnerability

• CVE-2022-36067(CVSS 3.1: 10.0, Critical) – Vulnerability in the error mechanism in Node.js.

Successful exploitation might allow an attacker to bypass the vm2 sandbox environment and run shell commands on the system hosting the sandbox.

Affected Versions

• VM2 versions prior to 3.9.11

Mitigation

CYREBRO urges all client to update to the latest VM2 version (3.9.11) and replace older releases in their projects as soon as possible.

References: VM2 Advisory