CVE-2022-36067 is the CVE ID that has been assigned to the vm2 vulnerability. As a result, the CVSS has assigned a severity score of 10.0 to this vulnerability, which is the highest score possible.
An attacker can circumvent the vm2 environment by exploiting the CVE-2022-36067 vulnerability. After the successful exploitation of this vulnerability, the attacker is able to run shell commands on the system of the victim running within a sandboxed environment.
- CVE ID: CVE-2022-36067
- Description: Remote execution vulnerability in vm2 sandbox library
- CVSS Score: 10
- Severity: Critical
- Status: Patched
As of August 28, 2022, version 3.9.11 has been released to address this critical vulnerability. With the built-in module allow listed, vm2 is one of the most popular Node libraries for running untrusted code within the virtual machine.
The vm2 maintainers are believed to have implemented a Node.js feature in an insecure manner, which has been the root cause of this vulnerability.
An error that occurs in VM2 can be customized in order to generate an object called a “CallSite”, which can be used to customize the call stack.
Due to this, it is possible to execute commands and access the global objects of Node.js outside of the sandbox by creating these objects.
Oxeye’s researchers found a way to bypass the mitigation mechanism used by the library’s authors, which served as a means of limiting the possibility of this happening in the past. While to achieve this, the “prepareStackTrace” method can be customized in order to perform this action.
VM2 was notified about this critical issue a couple of days after Oxeye discovered it on August 16, 2022. A version of 3.9.11, which addresses this issue, was released on August 28, 2022, by the authors of the VM2 library.
Applications that make use of the Sandbox without any patches might face alarming consequences as a result of the exploitation of CVE-2022-36067.
In response to this, cybersecurity experts have strongly recommended that users should immediately install version 3.9.11 of the software, in order to protect themselves.
Block more Intense DDoS Attacks Under 5 Minutes, Always Enable Multi-layered Protection.