NodeVM Builtin Allowlist Bypass via Module Loading
The `module` builtin in NodeVM allows bypassing the built-in allowlist, enabling sandbox escape and remote code execution.
CVE References
Affected
The vulnerability arises from the module builtin exposing Node's Module._load() method, which loads any module in the host context, bypassing restrictions. This allows loading restricted built-ins like child_process, leading to remote code execution.
The PoC demonstrates that allowing the module builtin (explicitly or via wildcard) enables full sandbox escape. It highlights the importance of strict control over built-in modules in sandboxes.
{'monitor_module_loading': 'Watch for unexpected module loads, especially attempts to load restricted modules like child_process.', 'log_analysis': 'Look for异常模块加载日志或主机上下文中的异常活动。', 'network_traffic': 'Monitor for signs of remote code execution attempts over the network.'}
{'update_vm2': 'Upgrade to NodeVM 9.0.1 or higher, which restricts Module._load.', 'review_allowlist': 'Ensure that critical built-ins are excluded from allowlists by default.', 'monitor_sandbox_activity': 'Closely monitor sandbox activity for any signs of module loading abuse.'}
{'likelihood': 'High', 'threat_actor_interest': 'High, especially for applications handling untrusted code.', 'impact': 'Severe due to potential remote code execution and system compromise.'}
Sources