CVE-2023-30547: 
JavaScript vulnerability analysis and mitigation

CVE-2023-30547 is a critical security vulnerability discovered in the vm2 JavaScript sandbox module, affecting versions up to 3.9.16. The vulnerability was reported on April 17, 2023, by researchers from KAIST WSP Lab and received a CVSS score of 9.8. vm2 is a popular sandbox module used to run untrusted code with whitelisted Node's built-in modules, with approximately four million weekly downloads and integration into 721 packages (Security Online).

The vulnerability exists in the exception sanitization process of vm2. When host exceptions may leak host objects into the sandbox, code is preprocessed with the transformer() function to instrument the code with handleException() sanitizer function calls. For CatchClause with ObjectPattern, the code calls handleException() and then re-throws the sanitized exception inside a nested try-catch. The handleException() function is an alias of thisEnsureThis(), which calls thisReflectGetPrototypeOf(other) to access the object's prototype. However, this may be proxied through a getPrototypeOf() proxy handler, which can itself throw an unsanitized host exception, resulting in the outer catch statement receiving it (GitHub PoC).

The vulnerability allows attackers to raise an unsanitized host exception inside handleException() which can be used to escape the sandbox and run arbitrary code in host context. This can lead to Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of the vm2 sandbox (GitHub Advisory).

The vulnerability was patched in version 3.9.17 of vm2. There are no known workarounds for this vulnerability, and users are strongly advised to upgrade to the patched version immediately (GitHub Advisory).