Sandbreak – A Critical Remote Code Execution Bug Found in Widely Used vm2 JavaScript Sandbox

In the JavaScript sandbox library vm2, the cybersecurity analysts at Oxeye research team have recently found a severe RCE flaw dubbed, “Sandbreak.”

Through the NPM package repository, the vm2 sandbox library achieves a total of 16 million downloads each month since it is one of the most popular JavaScript sandboxes.

CVE-2022-36067 is the CVE ID that has been assigned to the vm2 vulnerability. As a result, the CVSS has assigned a severity score of 10.0 to this vulnerability, which is the highest score possible.

An attacker can circumvent the vm2 environment by exploiting the CVE-2022-36067 vulnerability. After the successful exploitation of this vulnerability, the attacker is able to run shell commands on the system of the victim running within a sandboxed environment.

Flaw Profile

  • CVE ID: CVE-2022-36067
  • Description: Remote execution vulnerability in vm2 sandbox library
  • CVSS Score: 10
  • Severity: Critical
  • Status: Patched

Technical Analysis

As of August 28, 2022, version 3.9.11 has been released to address this critical vulnerability. With the built-in module allow listed, vm2 is one of the most popular Node libraries for running untrusted code within the virtual machine.

The vm2 maintainers are believed to have implemented a Node.js feature in an insecure manner, which has been the root cause of this vulnerability.

An error that occurs in VM2 can be customized in order to generate an object called a “CallSite”, which can be used to customize the call stack. 

Due to this, it is possible to execute commands and access the global objects of Node.js outside of the sandbox by creating these objects.

Oxeye’s researchers found a way to bypass the mitigation mechanism used by the library’s authors, which served as a means of limiting the possibility of this happening in the past. While to achieve this, the “prepareStackTrace” method can be customized in order to perform this action.


VM2 was notified about this critical issue a couple of days after Oxeye discovered it on August 16, 2022. A version of 3.9.11, which addresses this issue, was released on August 28, 2022, by the authors of the VM2 library.

Applications that make use of the Sandbox without any patches might face alarming consequences as a result of the exploitation of CVE-2022-36067.

In response to this, cybersecurity experts have strongly recommended that users should immediately install version 3.9.11 of the software, in order to protect themselves.

Block more Intense DDoS Attacks Under 5 Minutes, Always Enable Multi-layered Protection.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.