CVE-2022-36067
Published: 06 September 2022
Summary
CVE-2022-36067 is a critical-severity Improper Control of Dynamically-Managed Code Resources (CWE-913) vulnerability in Vm2 Project Vm2. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
vm2 is a JavaScript sandbox used to execute untrusted code while restricting access to a whitelist of Node.js built-in modules. The vulnerability, present in all versions prior to 3.9.11, allows an attacker to escape the sandbox and obtain arbitrary code execution on the underlying host. It is tracked as CWE-913 and carries a CVSS 3.1 base score of 10.0 reflecting network attack vector, low complexity, and full confidentiality, integrity, and availability impact under a changed security scope.
An unauthenticated remote attacker who can supply code to the sandbox can exploit the flaw to run operating-system commands or access host resources outside the intended isolation boundary. Successful exploitation grants the same privileges as the process running vm2, typically resulting in complete host compromise.
The project maintainers released version 3.9.11 to correct the issue, and the corresponding GitHub Security Advisory GHSA-mrgp-mrhc-5jrq together with the NetApp advisory NTAP-20221017-0002 confirm that no configuration workarounds exist. The current EPSS score of 0.8447 (peak 0.8541) indicates sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6880
Vulnerability details
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.…
more
This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring explicit authorization and ongoing control of mobile code implements proper management of dynamically loaded code resources.