heise PlusAbo

Node.js: vm2 sandbox escape possible again

A critical security vulnerability in the Node.js sandbox vm2 can allow malicious code to pass through. A security patch is available for download.

listen Print view
A woman presses a symbolic update button.

(Image: Alfa Photo/Shutterstock.com)

1 min. read
Security
By

The vm2 sandbox is once again leaky in the context of Node.js environments, and attackers can push and execute malicious code into the host system. Admins should install the security update promptly.

As indicated by a warning on GitHub, the –critical– vulnerability has not yet received a CVE number. Due to an error, attackers can take control of the host system and gain control of a host process within the sandbox. This allows malicious code to enter the host system. How an attack could specifically proceed is not yet known. Proof-of-concept code is available on the mentioned GitHub website. The developers assure that the vulnerability in vm2 3.11.3 has been closed.

Videos by heise

Recently, a sandbox vulnerability in Node.js 25 made headlines.

(des)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten