FISA

Security researchers have disclosed a total of twelve vulnerabilities in vm2 , a widely used open-source Node.js library, several of which carry the maximum possible CVSS score of 10.0. All affected versions up to and including 3.11.1 are impacted, and users are strongly urged to upgrade to the newly released version 3.11.2 immediately. What Is vm2? vm2 is a Node.js sandbox library designed to safely execute untrusted JavaScript code in an isolated environment, preventing that code from accessing the underlying host system. It is commonly used in platforms that need to run user-supplied or third-party scripts without exposing the server to risk. The discovery of these flaws fundamentally undermines that security guarantee. What the Vulnerabilities Allow All twelve flaws share a common and critical outcome: they enable sandbox escape, meaning an attacker can break out of the isolated environment and execute arbitrary code directly on the host machine. Several of the vulnerabilities...