Full Report
VM2 Node.js Library security advisory (AV26-432)
Analysis Summary
# Vulnerability: VM2 Sandboxing Library Remote Code Execution
## CVE Details
- **CVE ID:** CVE-2023-30547 (and associated sandbox escape flaws)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-94 (Improper Control of Generation of Code) / CWE-693 (Protection Mechanism Failure)
## Affected Systems
- **Products:** VM2 Node.js sandboxing library
- **Versions:** All versions prior to 3.9.17 (Note: The provided advisory reference to 3.11.2 reflects the final sequence of patches before the project was deprecated).
- **Configurations:** Any environment using VM2 to run untrusted code.
## Vulnerability Description
The vulnerability allows an attacker to bypass the sandbox protections provided by the VM2 library. In specific versions, the library fails to properly handle exceptions in "host" objects. By triggering a specific error sequence, an attacker can escape the restricted environment and gain access to the host's `process` object. This allows the execution of arbitrary system commands outside the intended sandbox boundaries.
## Exploitation
- **Status:** PoC available; widely known public exploits exist.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to host data)
- **Integrity:** High (Ability to modify host files/system)
- **Availability:** High (Ability to crash the host or delete services)
## Remediation
### Patches
- **Update to VM2 v3.9.17 or higher:** This version addresses the immediate sandbox escape flaws.
- **Important Note:** As of late 2023, the VM2 project has been **deprecated** and is no longer maintained. Users are strongly advised to migrate away from VM2 to alternative solutions like `isolated-vm`.
### Workarounds
- There are no reliable software-level workarounds for these vulnerabilities other than updating the library or migrating to a different sandboxing technology.
## Detection
- **Indicators of Compromise:** Unusual child process spawns originating from the Node.js process (e.g., `/bin/sh` or `cmd.exe`).
- **Detection methods and tools:**
- Use `npm audit` or `yarn audit` to identify vulnerable versions in the dependency tree.
- Security Scanners: Snyk, OSV-Scanner, or GitHub Dependabot.
## References
- **Vendor Advisory:** hxxps[://]github[.]com/patriksimek/vm2/security/advisories/GHSA-ch3p-8v36-p9p6
- **Release Notes:** hxxps[://]github[.]com/patriksimek/vm2/releases/tag/3.9.17
- **Cyber Centre Advisory:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/vm2-nodejs-library-security-advisory-av26-432