vm2 vulnerable to Sandbox Escape before v3.9.11
CVE-2022-36067

10CRITICAL

Key Information:

Vendor: Patriksimek
Status: Vm2
Vendor: CVE Published:; 6 September 2022

🔔 Create Patriksimek Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 82%

What is CVE-2022-36067?

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.

Affected Version(s)

vm2 < 3.9.11

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Exploit-For-CVE-2022-36067
Created by Prathamrajgor

CVE-2022-36067-vm2-POC-webapp
Created by 0x1nsomnia

References

https://github.com/patriksimek/vm2/security/advisories/GH...

https://github.com/patriksimek/vm2/issues/467

https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d8...

EPSS Score

82% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Nov 5, 2022
👾
Exploit known to exist
Nov 5, 2022
Vulnerability published
Sep 6, 2022
Vulnerability Reserved
Jul 15, 2022

CVE-2022-36067 Data

JSON