CVE-2023-37466

vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*

History

01 Feb 2024, 14:05

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 9.8
v2 : unknown
v3 : 10.0
References (MISC) https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 - Vendor Advisory (MISC) https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 - Exploit, Vendor Advisory

15 Sep 2023, 19:15

Type Values Removed Values Added
References
  • {'url': 'https://security.netapp.com/advisory/ntap-20230831-0007/', 'name': 'https://security.netapp.com/advisory/ntap-20230831-0007/', 'tags': [], 'refsource': 'MISC'}
Summary vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code. Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox.

31 Aug 2023, 19:15

Type Values Removed Values Added
References
  • (MISC) https://security.netapp.com/advisory/ntap-20230831-0007/ -

27 Jul 2023, 12:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8
CPE cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*
References (MISC) https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 - (MISC) https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 - Vendor Advisory
First Time Vm2 Project
Vm2 Project vm2

14 Jul 2023, 00:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-07-14 00:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-37466

Mitre link : CVE-2023-37466

CVE.ORG link : CVE-2023-37466


JSON object : View

Products Affected

vm2_project

  • vm2
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')