CVE-2021-23543
📋 TL;DR
The realms-shim package is vulnerable to sandbox bypass via prototype pollution, allowing attackers to modify JavaScript object prototypes and potentially execute arbitrary code. This affects all applications using any version of realms-shim, particularly Node.js applications that implement sandboxing for untrusted code execution.
💻 Affected Systems
- realms-shim
📦 What is this software?
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete sandbox escape leading to remote code execution, privilege escalation, and full system compromise.
Likely Case
Sandbox bypass allowing unauthorized access to host environment, data exfiltration, or modification of application behavior.
If Mitigated
Limited impact if proper input validation and sandbox isolation are implemented, though prototype pollution could still affect application logic.
🎯 Exploit Status
Prototype pollution attacks are well-documented and relatively easy to exploit in JavaScript environments.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None
Vendor Advisory: https://www.npmjs.com/package/realms-shim
Restart Required: Yes
Instructions:
1. Remove realms-shim from your project dependencies. 2. Use alternative sandboxing solutions like isolated-vm or vm2 with proper security configurations. 3. Update package.json and run npm install to remove the dependency.
🔧 Temporary Workarounds
Remove realms-shim dependency
allCompletely remove the vulnerable package and replace with secure alternatives
npm uninstall realms-shim
Implement input validation
allAdd strict input validation and sanitization for all objects passed to sandbox environments
🧯 If You Can't Patch
- Isolate affected systems from internet access and sensitive internal networks
- Implement strict network segmentation and monitor for unusual sandbox escape attempts
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for realms-shim dependency, or run: npm list realms-shimCheck Version:
npm list realms-shimVerify Fix Applied:
Confirm realms-shim is no longer in package.json and npm list shows no installation📡 Detection & Monitoring
Log Indicators:
- Unusual prototype modifications
- Sandbox escape attempts
- Unexpected require() calls from sandboxed code
Network Indicators:
- Outbound connections from sandboxed processes
- Unexpected file system access patterns
SIEM Query:
process.name:node AND cmdline:*realms-shim* OR process.name:node AND anomaly:prototype_modification