Recently, it was discovered that VM2, a widely used JavaScript sandbox library, contained the “Sandbreak” critical-severity remote code execution (RCE) vulnerability. The vulnerability is tracked as CVE-2022-36067 has a CVSS rating of 10.

The JavaScript sandbox library VM2, is downloaded more than 16 million times a month from the NPM package repository. Bypassing the vm2 sandbox environment and running shell commands on the computer hosting the sandbox is possible thanks to this vulnerability.

Sandboxes are designed to be an enclosed, separate environment from the rest of the operating system. The capacity to “escape” from this constrained environment and execute code on the host is a significant security issue, though, as developers frequently employ sandboxes to run or test potentially unsafe code.

Summary

• CVE: CVE-2022-36067
• CVSS Score: 10
• Severity: Critical
• Impact: A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox
• Affected Product: VM2 versions prior to version 3.9.11
• Recommendation: Update the patched release of version 3.9.11 of vm2

Sources

https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067

https://www.bleepingcomputer.com/news/security/critical-vm2-flaw-lets-attackers-run-code-outside-the-sandbox/

Recent Updates,

Zero-Day RCE Vulnerability in Sophos Firewall