CVE-2021-23594 – The realms-shim package is vulnerable to sandbo... (How to Fix)

Q: What is the severity of CVE-2021-23594?

CVE-2021-23594 has a CVSS score of 9.8 (CRITICAL). The realms-shim package is vulnerable to sandbox bypass via prototype pollution, allowing attackers to modify JavaScript object prototypes and potentially execute arbitrary code. This affects all applications using any version of realms-shim, particularly Node.js applications that implement sandboxing for untrusted code execution.

📋 TL;DR

The realms-shim package is vulnerable to sandbox bypass via prototype pollution, allowing attackers to modify JavaScript object prototypes and potentially execute arbitrary code. This affects all applications using any version of realms-shim, particularly Node.js applications that implement sandboxing for untrusted code execution.

💻 Affected Systems

Products:

realms-shim

Versions: All versions

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using realms-shim for sandboxing JavaScript execution is vulnerable regardless of configuration.

📦 What is this software?

Realms Shim by Agoric

View all CVEs affecting Realms Shim →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete sandbox escape leading to remote code execution, privilege escalation, and full system compromise.

🟠

Likely Case

Arbitrary code execution within the application context, data manipulation, and potential lateral movement.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing controls are implemented alongside the package.

🌐 Internet-Facing: HIGH - Web applications using realms-shim for sandboxing user-provided code are directly exposed.

🏢 Internal Only: MEDIUM - Internal applications using realms-shim for code isolation could be exploited through internal attacks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Prototype pollution vulnerabilities are well-understood and easily weaponized in JavaScript environments.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://www.npmjs.com/package/realms-shim

Restart Required: Yes

Instructions:

No official patch exists. Remove realms-shim entirely and replace with alternative sandboxing solutions.

🔧 Temporary Workarounds

Remove realms-shim package

all

Uninstall realms-shim and replace with secure alternatives like isolated-vm or vm2 with proper configuration.

npm uninstall realms-shim

🧯 If You Can't Patch

Implement strict input validation and sanitization for all data passed to realms-shim sandboxes
Run applications with minimal privileges and in isolated containers to limit potential damage

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules for realms-shim: grep -r 'realms-shim' package.json node_modules/

Check Version:

npm list realms-shim

Verify Fix Applied:

Verify realms-shim is no longer in package.json or node_modules directory

📡 Detection & Monitoring

Log Indicators:

Unusual process spawning from Node.js applications
Unexpected file system modifications by Node processes

Network Indicators:

Outbound connections from Node.js processes to unexpected destinations

SIEM Query:

process.name:node.exe AND (process.cmdline:*realms-shim* OR process.cmdline:*sandbox*)

📊 Metadata

CVE ID: CVE-2021-23594

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

Published: January 10, 2022

Last Updated: November 21, 2024

🔗 References

https://snyk.io/vuln/SNYK-JS-REALMSSHIM-2309907 Exploit,Third Party Advisory
https://www.npmjs.com/package/realms-shim Product,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-REALMSSHIM-2309907 Exploit,Third Party Advisory
https://www.npmjs.com/package/realms-shim Product,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23594, you might also want to check these: