Summary
vm2 patched eight vulnerabilities, including five critical sandbox escapes with CVSS scores of 10.0, that allow attackers to execute arbitrary code on host systems. The flaws involve logic errors in option handling, WebAssembly JSPI interactions, and module denylist bypasses.
Take Action:
If you use vm2 to run untrusted code, update to version 3.11.4 ASAP. After the repeated sandbox escape flaws reported in this library, consider moving high-risk script execution to more secure isolation layers like gVisor or lightweight virtual machines.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)