vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox.
References
Link | Resource |
---|---|
https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 | Exploit Vendor Advisory |
Configurations
History
01 Feb 2024, 14:05
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 10.0 |
References | (MISC) https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 - Exploit, Vendor Advisory |
15 Sep 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox. |
31 Aug 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
27 Jul 2023, 12:15
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
CPE | cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:* | |
References | (MISC) https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 - Vendor Advisory | |
First Time |
Vm2 Project
Vm2 Project vm2 |
14 Jul 2023, 00:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-14 00:15
Updated : 2024-02-28 20:33
NVD link : CVE-2023-37466
Mitre link : CVE-2023-37466
CVE.ORG link : CVE-2023-37466
JSON object : View
Products Affected
vm2_project
- vm2
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')