Impact
Instances that have enabled transformation functions (generic.allowJsTransformationFunctions in their config), may be vulnerable to an attack where it is possible to break out of the vm2 sandbox. The vm2 library has been discontinued due to the complexity in fixing some sandbox escapes, and as a result Hookshot will be vulnerable to this.
This problem is only likely to affect you if you have allowed untrusted users to apply their own transformation functions. If you have only enabled a limited set of trusted users, this threat is reduced (though not eliminated).
Patches
Version 4.5.0 and above of hookshot include a new sandbox library which should better protect users.
Workarounds
Disable generic.allowJsTransformationFunctions in the config.
References
- The vm2 project describe their reasons for closing the project link
Impact
Instances that have enabled transformation functions (
generic.allowJsTransformationFunctionsin their config), may be vulnerable to an attack where it is possible to break out of thevm2sandbox. The vm2 library has been discontinued due to the complexity in fixing some sandbox escapes, and as a result Hookshot will be vulnerable to this.This problem is only likely to affect you if you have allowed untrusted users to apply their own transformation functions. If you have only enabled a limited set of trusted users, this threat is reduced (though not eliminated).
Patches
Version 4.5.0 and above of hookshot include a new sandbox library which should better protect users.
Workarounds
Disable
generic.allowJsTransformationFunctionsin the config.References