vm2 Sandbox Escape vulnerability
CVE-2023-37466

9.8CRITICAL

Key Information:

Vendor

Patriksimek

Status
Vm2
Vendor
CVE Published:
14 July 2023

What is CVE-2023-37466?

The vm2 library, a popular sandbox for Node.js, has a significant vulnerability that allows unauthorized access to a system's environment. This issue arises from a flaw in the sanitization of Promise handlers, which can be bypassed using the @@species accessor property. As a result, attackers can escape the sandbox environment and execute arbitrary code, potentially leading to severe security breaches. Users are strongly advised to avoid using vm2 in production due to the discontinued maintenance and this critical vulnerability.

Affected Version(s)

vm2 <= 3.9.19

References

https://github.com/patriksimek/vm2/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/patriksimek/vm2/commit/d9a1fde8ec5a5a9...
x_refsource_MISC
https://github.com/patriksimek/vm2/releases/tag/v3.10.0
x_refsource_MISC

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.