Vm2, a JavaScript sandbox package that receives more than 16 million downloads each month, provides the synchronous execution of untrusted code within a single process.
Security researchers at Oxeye found CVE-2022-36067 in August 2022, a major vulnerability in vm2 with a CVSS score of 10 that should notify all vm2 users due to its potential for wide-ranging effects.
The Node.js functionality that allows vm2 maintainers to alter the call stack of failures in the software testing framework is the primary culprit in the vulnerability, which Oxeye’s researchers have dubbed SandBreak.
According to senior security researcher Gal Goldshtein of Oxeye, “when examining the prior issues revealed to the vm2 maintainers, we observed an unusual technique: the bug reporter leveraged the error mechanism in Node.js to escape the sandbox.”
Node.js executes a certain method and passes an array of “CallSite” objects as arguments when an error occurs. The researchers clarify that some CallSite objects might return items produced outside of the sandbox.
According to Oxeye, an attacker in charge of one of the returned objects may “access Node’s global objects and execute arbitrary system commands from there.”
The prepareStackTrace function of the Error object was called, and to reduce the risk, the vm2 implementation wrapped the called method and the called objects in a way that prevented users from modifying it.
Nevertheless, an attacker might offer their own implementation of the prepareStackTrace method and escape the sandbox because they did not cover all particular methods.
The researchers at Oxeye were also able to substitute their own implementation—which contained a unique prepareStackTrace function—for the global Error object. When it was called, it would discover a CallSite object outside the sandbox, enabling the host to run any code.
About August 28, vm2 version 3.9.11 was released, fixing the SandBreak vulnerability, but up until now, technical information on the flaw has been withheld. Later this week, Oxeye intends to publish a technical blog entry.
Oxeye requests that all vm2 sandbox instances in their environments be patched by AppSec engineers, R&D managers, and security experts.