GMS-2023-2358: Directus affected by VM2 sandbox escape vulnerability

September 15, 2023

Impact

In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code. Within Directus this applies to the “Run Script” operation in flows being able to escape the sandbox running code in the main nodejs context.

Patches

Patched in v10.6.0 by replacing vm2 with isolated-vm

Workarounds

None

References

https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5

References

github.com/advisories/GHSA-22rr-f3p8-5gf8
github.com/directus/directus/commit/284156426fa94f688e8d65a7a4f34f9e6705f058
github.com/directus/directus/pull/19332
github.com/directus/directus/security/advisories/GHSA-22rr-f3p8-5gf8
github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5

Code Behaviors & Features

Detect and mitigate GMS-2023-2358 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →