New updates have been released for the vm2 JavaScript library in response to two severe vulnerabilities that could be taken advantage of to escape the sandboxes. Both flaws, referred to as CVE-2023-29199 and CVE-2023-30547, were rated 9.8 out of 10 on the CVSS scoring system and have been dealt with in versions 3.9.16 and 3.9.17. Exploitation of these flaws would allow an attacker to raise an unsanitized host exception, thus allowing them to run arbitrary code in the host context and escape the sandbox. The discovery and reporting of these vulnerabilities is credited to security researcher Seunghyun Lee, who has also released proof-of-concept exploits for both issues. It is worth noting that last year, researchers at Oxeye identified another critical vulnerability in vm2 called Sandbreak (CVE-2022-36067, CVSS score: 9.8) that could result in the execution of arbitrary code on the underlying system.
To mitigate these potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net
Source: The Hacker News