Sandbox Escape via Mutable Proxies in vm2
A critical vulnerability in vm2 allows attackers to mutate host prototypes, enabling sandbox escapes. The PoC highlights the risk of untrusted code accessing and modifying core JavaScript objects.
CVE References
Affected
The vulnerability arises from the exposure of mutable proxies for host intrinsic prototypes in vm2. Attackers can exploit this by modifying Object.prototype, Array.prototype, or Function.prototype within a sandboxed environment, leading to potential code execution outside the sandbox. The root cause is improper handling of prototype access and writes through BaseHandler methods.
The PoC demonstrates that an attacker can manipulate host prototypes, which are critical for JavaScript runtime integrity. This shows how a seemingly isolated environment can be compromised, highlighting the importance of securing such primitives in sandboxed environments.
Monitor for unexpected modifications to Object.prototype, Array.prototype, and Function.prototype within your JavaScript environments. Implement checks on reflective operations that modify these prototypes and log any suspicious activities for further investigation.
Apply patches provided by the vm2 maintainers to fix the proxy handling in BaseHandler. Restrict access to prototype manipulation in sandboxed environments and consider isolating critical runtime primitives from untrusted code.
This vulnerability is highly likely to be exploited due to its potential for full system access. Threat actors with the capability to target JavaScript environments, especially those using vm2 for sandboxes, are expected to show interest.
Sources