CVE-2023-29199: 
JavaScript vulnerability analysis and mitigation

A critical vulnerability (CVE-2023-29199) was discovered in the VM2 library, affecting versions up to 3.9.15. The vulnerability resides in the library's source code transformer, specifically in the exception sanitization logic. This security flaw was discovered by Xion (SeungHyun Lee) of KAIST Hacking Lab and was patched in version 3.9.16 released on April 11, 2023 (GitHub Advisory, SecurityOnline).

The vulnerability exists in the source code transformer's exception sanitization logic, allowing attackers to bypass the handleException() function and leak unsanitized host exceptions. The flaw received a CVSS v3.1 base score of 9.8 (Critical), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue specifically relates to how code is preprocessed with transformer() in lib/transformer.js, where the identifier name of catch clause is interpolated into insertions as code, leading to potential sandbox escape (NVD, GitHub Advisory).

The vulnerability allows threat actors to bypass sandbox protections and gain remote code execution rights on the host running the sandbox. With VM2 being widely used (over 16 million monthly downloads) across various applications including integrated development environments (IDEs), code editors, function-as-a-service (FaaS) solutions, pen-testing frameworks, and security tools, the potential impact is extensive (SecurityOnline).

The vulnerability has been patched in version 3.9.16 of VM2. No alternative workarounds are available, making it crucial for users to update to the patched version immediately (GitHub Advisory).