CVE-2022-25893
Arbitrary Code Execution vulnerability in vm2 (npm)
What is CVE-2022-25893 About?
This vulnerability in vm2 before version 3.9.10 allows for Arbitrary Code Execution due to improper prototype lookup for `WeakMap.prototype.set`. Attackers can exploit this to escape the sandbox and execute code on the host system. Exploitation requires crafting specific code to leverage the prototype pollution.
Affected Software
Technical Details
The vulnerability in vm2 arises from an insecure prototype lookup mechanism when the WeakMap.prototype.set method is used. By manipulating the prototype chain, an attacker can pollute the prototype of WeakMap objects within the sandboxed environment. This allows the attacker's code to introduce or modify properties on objects that are normally considered host objects or part of the trusted environment. Through this prototype pollution, the attacker can gain unauthorized access to host objects and ultimately execute arbitrary code outside the vm2 sandbox, achieving a sandbox escape.
What is the Impact of CVE-2022-25893?
Successful exploitation may allow attackers to execute arbitrary code on the underlying host system, compromise the integrity, confidentiality, and availability of data, and potentially gain full control of the affected server.
What is the Exploitability of CVE-2022-25893?
Exploiting this vulnerability generally requires the ability to execute code within the vm2 sandbox, typically through user-supplied scripts or functions. The complexity is moderate, as it involves understanding the JavaScript prototype chain and crafting specific code to leverage the WeakMap prototype pollution for a sandbox escape. Authentication depends on how the sandboxed code execution environment is exposed, but once code can be run in the sandbox, no further authentication is usually needed. Privilege requirements are limited to capabilities within the sandbox, which are then elevated upon a successful escape. This is primarily a local vulnerability from the perspective of the sandboxed code, but the initial vector could be remote if an application accepts user-provided code. The presence of functions in the sandbox that an attacker can control is a key risk factor.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-25893?
About the Fix from Resolved Security
The patch replaces direct calls to wrappedPrepareStackTrace.set(...) with calls to the set method using localReflectApply, ensuring the correct method from LocalWeakMap.prototype is invoked rather than a potentially overridden or malicious one. This fixes CVE-2022-25893 by preventing attackers from exploiting prototype pollution or method override to gain access to untrusted objects or escalate privileges in a sandboxed environment.
Available Upgrade Options
- vm2
- <3.9.10 → Upgrade to 3.9.10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69
- https://github.com/patriksimek/vm2/issues/444
- https://github.com/patriksimek/vm2
- https://github.com/patriksimek/vm2/pull/445
- https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69
- https://nvd.nist.gov/vuln/detail/CVE-2022-25893
- https://security.snyk.io/vuln/SNYK-JS-VM2-2990237
- https://osv.dev/vulnerability/GHSA-4w2j-2rg4-5mjw
- https://github.com/patriksimek/vm2/pull/445
- https://github.com/patriksimek/vm2/issues/444
What are Similar Vulnerabilities to CVE-2022-25893?
Similar Vulnerabilities: CVE-2022-3160 , CVE-2022-3161 , CVE-2022-36067 , CVE-2021-29921 , CVE-2021-23376
