10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36067

GHSA ID

GHSA-mrgp-mrhc-5jrq

EPSS Score

0.99381%

CWE

CWE-913

Published

9/28/2022

Updated

1/30/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-36067

CVE-2022-36067: vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host

Impact

A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.

Patches

This vulnerability was patched in the release of version 3.9.11 of vm2

Workarounds

None.

References

Github Issue - https://github.com/patriksimek/vm2/issues/467 The file that was patched - https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71 The commit with the patch - https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164

For more information

If you have any questions or comments about this advisory:

Open an issue in VM2

(GitHub Advisory)

10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36067

GHSA ID

GHSA-mrgp-mrhc-5jrq

EPSS Score

0.99381%

CWE

CWE-913

Published

9/28/2022

Updated

1/30/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
vm2	npm	< 3.9.11	3.9.11

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper isolation of the Error object in the sandbox environment. The patch in commit d9a7f3c adds 'Error: { value: LocalError }' to the global object descriptors in setup-sandbox.js (line 71). This indicates the original vulnerability allowed access to the host's Error prototype through the sandbox's global object. Attackers could overwrite Error.prepareStackTrace to intercept stack traces and access host environment objects via getThis() in call sites, ultimately escaping the sandbox. The test case added in the commit demonstrates this attack vector by manipulating global.Error to access process.mainModule.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * t*r**t **tor **n *yp*ss t** s*n**ox prot**tions to **in r*mot* *o** *x**ution ri**ts on t** *ost runnin* t** s*n**ox. ### P*t***s T*is vuln*r**ility w*s p*t**** in t** r*l**s* o* v*rsion `*.*.**` o* `vm*` ### Work*roun*s Non*. ### R*

Reasoning

T** vuln*r**ility st*ms *rom improp*r isol*tion o* t** `*rror` o*j**t in t** s*n**ox *nvironm*nt. T** p*t** in *ommit ******* ***s '*rror: { v*lu*: Lo**l*rror }' to t** *lo**l o*j**t **s*riptors in `s*tup-s*n**ox.js` (lin* **). T*is in*i**t*s t** ori

10

Basic Information

Concerned about an active attack path?

CVE-2022-36067: vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host

Impact

Patches

Workarounds

References

For more information

10

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI