Critical Remote Code Execution Vulnerability Found in vm2 Sandbox Library

10-Oct-22

A major flaw in vm2 might allow a remote attacker to bypass the sandbox and execute arbitrary code on the host. vm2, a popular JavaScript sandbox package with over 16 million monthly downloads, allows untrusted code to be executed synchronously in a single session. The vulnerability, dubbed SandBreak by Oxeye’s researchers, stems from the way vm2 maintainers developed a Node.js feature that allows them to change the call stack of failures in the software testing framework. Read More…