Popular server-side JavaScript security sandbox “vm2” patches remote execution hole
The security error was in the error handling system that was supposed to catch potential security errors...
JavaScript is a scripting language used in web pages and applications, where flaws in code or dependencies can enable attacks and data theft.
Search across headline titles and summaries.
Background for this topic.
JavaScript is a programming language used to add behavior to web pages and to build applications that run outside the browser, including server-side services and tooling. In browsers, scripts can read and modify a page’s content and interact with available web APIs, subject to the browser’s security boundaries.
Its main security risks include cross-site scripting (XSS), in which attacker-controlled input is executed as page code, and DOM-based flaws caused by unsafe handling of data in client-side code. Third-party scripts and package dependencies also expand the code supply chain and may expose user data or introduce vulnerable behavior. Practical controls include context-aware output encoding, avoiding unsafe DOM sinks, restrictive Content-Security-Policy rules, and reviewing, pinning, and monitoring dependencies for vulnerabilities.
The security error was in the error handling system that was supposed to catch potential security errors...
The maintainers of the vm2 JavaScript sandbox module have shipped a patch to address a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcode
Proof-of-concept exploit code has been released for a recently disclosed critical vulnerability in the popular VM2 library, a JavaScript sandbox that is used by multiple software to run code securely in a virtualized environment. [...]
In the height of tax-return season, a popular tax prep software service leaves a malicious JavaScript file online for weeks.
eFile.com, an IRS-authorized e-file software service provider used by many for filing their tax returns, has been caught serving JavaScript malware. [...]