CVE-2022-36067: 
JavaScript vulnerability analysis and mitigation

The vulnerability CVE-2022-36067, known as SandBreak, affects the vm2 JavaScript sandbox library versions prior to 3.9.11. vm2 is a popular sandbox module with approximately 17.5 million monthly downloads that allows running untrusted code with whitelisted Node's built-in modules. The vulnerability was discovered by the Oxeye research team and disclosed in August 2022, receiving the maximum CVSS score of 10.0 (Critical) (GitHub Advisory, Help Net Security).

The vulnerability stems from improper error mechanism handling in Node.js that could be exploited to escape the sandbox environment. It is classified under CWE-913 (Improper Control of Dynamically-Managed Code Resources). The vulnerability received a CVSS v3.1 Base Score of 10.0 CRITICAL with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

Successful exploitation of this vulnerability allows an attacker to bypass the vm2 sandbox protections and gain remote code execution rights on the host running the sandbox. Given that sandboxes are commonly used for examining email attachments, providing security layers in web browsers, and isolating running applications, the potential impact is severe. The vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (NetApp Advisory, Help Net Security).

The vulnerability was patched in vm2 version 3.9.11. There are no known workarounds, making it critical for users to upgrade to the patched version immediately. Security experts recommend separating the logical sensitive part of applications from the microservice that runs the sandbox code to limit the attack surface in case of successful sandbox escapes (GitHub Advisory, Help Net Security).