Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Critical Vulnerability in vm2 Sandbox
Alerts

Critical Vulnerability in vm2 Sandbox

11 October 2022

vm2, a widely used Javascript sandbox library, has released security updates to address a critical vulnerability (CVE-2022-36067) in their sandbox product. The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 10 out of 10.

The vulnerability, known as SandBreak, affects all vm2 versions prior to version 3.9.11. Successful exploitation of the vulnerability enables threat actors to bypass sandbox protections to gain remote code execution rights on the host machine running the sandbox.

Administrators and users of affected product versions are advised to upgrade to the latest version immediately.

More information is available here:

https://nvd.nist.gov/vuln/detail/CVE-2022-36067

https://github.com/advisories/GHSA-mrgp-mrhc-5jrq

Back to top