Critical RCE Vulnerability Found in vm2 Sandbox Module

An extremely popular sandbox library with more than 16 million downloads a month, vm2 can run untrusted code securely in a single process with your code side by side.

Researchers from Oxeye discovered the vulnerability codenamed “Sandbreak”, a critical remote code execution vulnerability. A threat actor who exploits the vulnerability will be able to bypass the environment and run shell commands on the hosting machine of the sandbox.

This vulnerability has been given a maximum CVSS score of 10 and Github has issued an advisory CVE-2022-36067.