{"id":162455,"date":"2023-04-19T06:23:14","date_gmt":"2023-04-19T11:23:14","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2023\/04\/critical-flaws-in-vm2-javascript-library-can-lead-to-remote-code-execution"},"modified":"2023-04-19T06:23:14","modified_gmt":"2023-04-19T11:23:14","slug":"critical-flaws-in-vm2-javascript-library-can-lead-to-remote-code-execution","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2023\/04\/critical-flaws-in-vm2-javascript-library-can-lead-to-remote-code-execution","title":{"rendered":"Critical Flaws in vm2 JavaScript Library Can Lead to Remote Code Execution"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/critical-flaws-in-vm2-javascript-library-can-lead-to-remote-code-execution.jpg\"><\/a><\/p>\n<p>A fresh round of patches has been made available for the vm2 JavaScript library to address two critical flaws that could be exploited to break out of the sandbox protections.<\/p>\n<p>Both the flaws \u2013 <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-29199\" rel=\"noopener\" target=\"_blank\">CVE-2023\u201329199<\/a> and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-30547\" rel=\"noopener\" target=\"_blank\">CVE-2023\u201330547<\/a> \u2013 are rated 9.8 out of 10 on the CVSS scoring system and have been addressed in versions 3.9.16 and 3.9.17, respectively.<\/p>\n<p>Successful <a href=\"https:\/\/github.com\/advisories\/GHSA-xj72-wvfv-8985\" rel=\"noopener\" target=\"_blank\">exploitation<\/a> of the <a href=\"https:\/\/github.com\/patriksimek\/vm2\/security\/advisories\/GHSA-ch3r-j5x3-6q2m\" rel=\"noopener\" target=\"_blank\">bugs<\/a>, which allow an attacker to raise an unsanitized host exception, could be weaponized to escape the sandbox and run arbitrary code in the host context.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A fresh round of patches has been made available for the vm2 JavaScript library to address two critical flaws that could be exploited to break out of the sandbox protections. Both the flaws \u2013 CVE-2023\u201329199 and CVE-2023\u201330547 \u2013 are rated 9.8 out of 10 on the CVSS scoring system and have been addressed in versions [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"class_list":["post-162455","post","type-post","status-publish","format-standard","hentry","category-futurism"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/162455","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=162455"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/162455\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=162455"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=162455"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=162455"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}