Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed,” the official advisory reads. “This allows attackers to escape the sandbox and run arbitrary code.” Sandboxes like vm2 are needed by web and other Node-based applications whose functionality enables users or tools to upload and execute scripts. Because user-controlled code is untrusted by nature, it cannot be allowed to execute in the same context as the application itself. Yet the host application needs to monitor and see what the code does.The vm2 library achieves this through a complex network of proxies that intercept and mediate interactions between the sandbox and the host environment. But the complexity of JavaScript means there will likely always be a way to trick this chain of proxies.The project is honest about this in its description: “Objects can be accessed through prototype chains, constructors can be reached via error objects, symbols provide protocol hooks, and async execution creates timing windows. The sheer number of ways to traverse from one object to another in JavaScript makes building an airtight in-process sandbox extremely difficult.”The maintainer clearly warns that new bypasses will likely be discovered in the future and while they will be patched, the cat-and-mouse game will continue. In his announcement about the project’s resurrection in October, he noted that he hopes AI-assisted vulnerability detection will help catch more of these issues in the future.There are other alternatives to isolate code that would provide stronger security guarantees, such as full process sandboxing, virtual machines, containers, and more. But they come with heavier performance costs or add other complexities and hurdles. Not to mention, those approaches are not vulnerability-free either.The maintainer advises that vm2 should only be used when:
You need tight integration with host objects and fast synchronous communicationThe untrusted code comes from a relatively trusted source (e.g., internal tools, plugin systems with vetted authors)You combine vm2 with other security layers (network isolation, filesystem restrictions, resource limits)You accept the risk and actively monitor for security updates
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4123782/critical-bug-in-popular-vm2-node-js-sandboxing-library-puts-projects-at-risk.html
