Popular Node library impacted by critical RCE bug

Threat actors could exploit an already addressed critical security flaw in the widely used Node library vm2 sandbox module to facilitate remote command execution, according to The Hacker News. Discovered by application security company Oxeye, the vulnerability, dubbed as 'Sandbreak' and tracked as CVE-2022-36067, stems from a Node.js error mechanism in escaping the sandbox. Such a security bug could allow the evasion of the vm2 sandbox environment to enabale shell command execution in systems hosting the sandbox, said researchers. Users of vm2 have been urged to immediately apply the software update addressing the flaw, which was issued on August 28. "Sandboxes serve different purposes in modern applications, such as examining attached files in email servers, providing an additional security layer in web browsers, or isolating actively running applications in certain operating systems. Given the nature of the use cases for sandboxes, it's clear that the vm2 vulnerability can have dire consequences for applications that use vm2 without patching," said Oxeye.