A flaw in vm2, a prominent JavaScript sandbox environment, may allow malicious actors to circumvent sandbox safeguards and perform remote code execution (RCE) on the host device. Vm2, which receives over four million downloads per week, establishes a safe context in Node.js servers that allows untrusted code to execute without compromising the server. The fact that vm2 is utilised in both production and developer environments increased the potential impact of the vulnerability, which was assigned a maximum CVSS score of 10.Oxeye Vulnerability researchers Gal Goldshtein and Yuval Ostrovsky uncovered the security weakness. “Our standard technique when analysing the security of a specific product is to first study past security flaws reported in the same software.” Read More…