CVE-2022-36067

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.9.11

Description The issue is related to insufficient resource control with dynamic management in the vm2 library, allowing a remote attacker to execute arbitrary code by bypassing sandbox protections. The vulnerability affects the vm2 sandbox, which can run untrusted code with whitelisted Node's built-in modules. It is estimated that over 500 instances of Backstage, a popular developer portal, are vulnerable to this issue, with many of them accessible without authentication due to default deployment settings. The vulnerability was patched in version 3.9.11 of vm2.

Recommendations For versions prior to 3.9.11, update to version 3.9.11 or later to resolve the issue. As a temporary workaround, consider disabling the use of the vm2 sandbox until a patch is applied. Restrict access to the vm2 module to minimize the risk of exploitation. Avoid using the vm2 sandbox to run untrusted code until the issue is resolved.