Cyber Resilience

CVE-2022-36067

CriticalPublic PoC

Published: 06 September 2022

Published
06 September 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.8447 99.3th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-36067 is a critical-severity Improper Control of Dynamically-Managed Code Resources (CWE-913) vulnerability in Vm2 Project Vm2. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

vm2 is a JavaScript sandbox used to execute untrusted code while restricting access to a whitelist of Node.js built-in modules. The vulnerability, present in all versions prior to 3.9.11, allows an attacker to escape the sandbox and obtain arbitrary code execution on the underlying host. It is tracked as CWE-913 and carries a CVSS 3.1 base score of 10.0 reflecting network attack vector, low complexity, and full confidentiality, integrity, and availability impact under a changed security scope.

An unauthenticated remote attacker who can supply code to the sandbox can exploit the flaw to run operating-system commands or access host resources outside the intended isolation boundary. Successful exploitation grants the same privileges as the process running vm2, typically resulting in complete host compromise.

The project maintainers released version 3.9.11 to correct the issue, and the corresponding GitHub Security Advisory GHSA-mrgp-mrhc-5jrq together with the NetApp advisory NTAP-20221017-0002 confirm that no configuration workarounds exist. The current EPSS score of 0.8447 (peak 0.8541) indicates sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.…

more

This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vm2 project
vm2
≤ 3.9.11

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-913

Requiring explicit authorization and ongoing control of mobile code implements proper management of dynamically loaded code resources.

References