JavaScript Sandbox “vm2” Vulnerability Puts Millions of Node.js Servers at Risk
A critical vulnerability in the JavaScript Sandbox vm2 library could expose millions of Node.js servers to attacks by enabling malicious code to break out of the sandbox. The exploit code, which was recently published, can compromise the entire computer after attackers have escaped from the vm2 sandbox.
Developers use the vm2 library to run suspicious code separately on a Node.js server. Millions of developers download the vm2 sandbox from the NPM repository each month, which puts a large number of systems at risk of attack.
The vulnerability, identified as CVE-2023-29017, is rated 10 out of 10 on the CVSS score. The error occurs during the processing of Hoste objects in the Error.prepareStackTrace function, allowing attackers to breach the host system and run malicious codes. By doing so, they can compromise the entire computer.
The developers have fixed the vulnerability in the latest version of vm2, version 3.9.15. This version is not vulnerable, but all previous releases of vm2 are susceptible to attack. Developers who use vm2 are advised to upgrade to the latest version at their earliest convenience.
In conclusion, the vm2 sandbox vulnerability is a severe threat to Node.js servers. Millions of downloads mean that many systems need immediate attention. Therefore, developers should install the latest, non-vulnerable version of vm2 as soon as possible to mitigate any risk of an attack.
