Skip to content

Unsafe runInContext

What does this mean ?

The vm module enables compiling and running code within V8 Virtual Machine contexts. The vm module is not a security mechanism. Do not use it to run untrusted code.

What can happen ?

The first danger is a Denial of Service attack on your application. Because nodejs is single-threaded and relies on the Event loop, it is simple to take the program offline by blocking the event loop with heavy or infinite operations. The VM module isolates the context of newly called code from the context of the original application code. Providing a sandbox to run the code in a semi-isolated setting. However, it can readily avoided.

Recommendation

The recommendition here is never use the “VM” nodejs module to run untrusted data.

Sample Code

Vulnerable :

const vm = require('vm');

const code = 'while(true){}';

vm.runInNewContext(code,{});

console.log('Never gets executed.')

References