CVE-2023-29017 in vm2
Summary
by MITRE • 04/06/2023
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/23/2023
The vm2 library represents a critical sandboxing solution designed to execute untrusted JavaScript code within Node.js environments while maintaining security boundaries through whitelisting of built-in modules. This vulnerability affects versions prior to 3.9.15 and demonstrates a fundamental flaw in how the sandbox handles error preparation mechanisms, specifically when dealing with unhandled asynchronous errors. The security implications extend beyond typical sandbox boundaries, as the flaw allows threat actors to escalate privileges and achieve remote code execution on the host system running the sandboxed environment.
The technical root cause of this vulnerability lies in the improper handling of host objects within the Error.prepareStackTrace function during async error scenarios. When unhandled asynchronous errors occur, the vm2 sandbox fails to properly isolate the host environment from the sandboxed code execution context. This flaw creates a pathway for malicious code to access underlying host objects and methods that should remain restricted within the sandboxed execution environment. The vulnerability specifically targets the error handling mechanism that is crucial for maintaining sandbox integrity, allowing attackers to manipulate the error preparation process to escape sandbox boundaries.
The operational impact of this vulnerability is severe and potentially catastrophic for any system relying on vm2 for code execution isolation. Attackers can leverage this weakness to execute arbitrary code on the host machine with the privileges of the sandboxed process, effectively bypassing all sandbox protections that vm2 is designed to enforce. This represents a complete breakdown of the security model, as the sandbox no longer provides meaningful isolation between trusted and untrusted code execution contexts. The vulnerability's exploitation does not require special privileges beyond the ability to execute code within the sandboxed environment, making it particularly dangerous in multi-tenant or shared hosting scenarios.
The vulnerability aligns with CWE-242, which addresses the use of potentially dangerous functions, and exhibits characteristics consistent with sandbox escape techniques described in ATT&CK framework under T1553.001, which covers modifications to the system's error handling mechanisms. Organizations utilizing vm2 in production environments must immediately update to version 3.9.15 or later to remediate this vulnerability, as no effective workarounds exist for this particular flaw. The patch implemented in version 3.9.15 addresses the specific handling of host objects during error preparation, ensuring that asynchronous error scenarios properly maintain the isolation boundaries that vm2 is designed to enforce. Security teams should conduct immediate assessments of all systems using vm2 to identify potential exploitation and implement the necessary updates to protect against this critical remote code execution vulnerability.