The vm2 JavaScript sandbox library, commonly used in IDEs, code editors, and security tools, has a critical vulnerability (CVE-2023-29017) that allows threat actors to escape the sandbox and execute arbitrary code. The vulnerability affects all previous versions of the library and has a CVSS score of 10.0. The issue is due to the library’s improper handling of host objects when an asynchronous error occurs. A patch has been released for the issue in version 3.9.15, and there is no known workaround. A proof-of-concept exploit for CVE-2023-29017 has been created by a Ph.D. student, which bypasses the sandbox protections and enables the creation of an empty file on the host system. An attacker could potentially execute remote code on the host system by exploiting the vulnerability. It is highly recommended that users upgrade to version 3.9.15 of the vm2 library to address this issue.
To mitigate these potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net
Source: SOCradar