Sensitive information sent insecurely In vm2
Description
vm2 has Sandbox Breakout Through Null Proto Exception
Summary
VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.
Details
In handleException due to // SECURITY (post-GHSA-mpf8 hardening): use `from` (not `ensureThis`) exceptions with a null proto will be assumed to come from the other side and being proxied. Therefore, it is possible to get the proxied and unproxied object of a sandbox object with a null proto when thrown and then catched which allows to get the host Function object.
PoC
const {VM} = require("vm2"); const vm = new VM(); console.log(vm.run(` const o = {__proto__: null}; try { throw o; } catch (e) { e.f = Buffer.prototype.inspect...
Impact
Attackers can perform Remote Code Execution under the assumption that arbitrary code can be executed inside the context of a vm2 sandbox.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | vm2 | 3.11.2 |
Aliases
References