{"id":161722,"date":"2023-04-08T04:22:16","date_gmt":"2023-04-08T09:22:16","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2023\/04\/researchers-discover-critical-remote-code-execution-flaw-in-vm2-sandbox-library"},"modified":"2023-04-08T04:22:16","modified_gmt":"2023-04-08T09:22:16","slug":"researchers-discover-critical-remote-code-execution-flaw-in-vm2-sandbox-library","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2023\/04\/researchers-discover-critical-remote-code-execution-flaw-in-vm2-sandbox-library","title":{"rendered":"Researchers Discover Critical Remote Code Execution Flaw in vm2 Sandbox Library"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/researchers-discover-critical-remote-code-execution-flaw-in-vm2-sandbox-library.jpg\"><\/a><\/p>\n<p>The maintainers of the vm2 JavaScript sandbox module have shipped a patch to address a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcode.<\/p>\n<p>The flaw, which affects all versions, including and prior to 3.9.14, was <a href=\"https:\/\/github.com\/patriksimek\/vm2\/issues\/515\" rel=\"noopener\" target=\"_blank\">reported<\/a> by researchers from South Korea-based <a href=\"https:\/\/wsp-lab.github.io\/\" rel=\"noopener\" target=\"_blank\">KAIST WSP Lab<\/a> on April 6, 2023, prompting vm2 to release a fix with <a href=\"https:\/\/github.com\/patriksimek\/vm2\/releases\/tag\/3.9.15\" rel=\"noopener\" target=\"_blank\">version 3.9.15<\/a> on Friday.<\/p>\n<p>\u201cA threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox,\u201d vm2 <a href=\"https:\/\/github.com\/advisories\/GHSA-7jxr-cg7f-gpgv\" rel=\"noopener\" target=\"_blank\">disclosed<\/a> in an advisory.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The maintainers of the vm2 JavaScript sandbox module have shipped a patch to address a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcode. The flaw, which affects all versions, including and prior to 3.9.14, was reported by researchers from South Korea-based KAIST WSP Lab on April 6, [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1492],"tags":[],"class_list":["post-161722","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/161722","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=161722"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/161722\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=161722"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=161722"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=161722"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}