vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox.
References
Link | Resource |
---|---|
https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 | Exploit Vendor Advisory |
https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 | Exploit Vendor Advisory |
Configurations
History
21 Nov 2024, 08:11
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 - Exploit, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
01 Feb 2024, 14:05
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 - Exploit, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 10.0 |
15 Sep 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox. |
31 Aug 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
27 Jul 2023, 12:15
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
First Time |
Vm2 Project
Vm2 Project vm2 |
|
References | (MISC) https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 - Vendor Advisory | |
CPE | cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:* |
14 Jul 2023, 00:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-14 00:15
Updated : 2024-11-21 08:11
NVD link : CVE-2023-37466
Mitre link : CVE-2023-37466
CVE.ORG link : CVE-2023-37466
JSON object : View
Products Affected
vm2_project
- vm2
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')