CVE-2023-37466

moderate-risk
Published 2023-07-14

vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox. Version 3.10.0 contains a patch for the issue.

Do I need to act?

~
5.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Vm2

Affected Vendors

Vm2 Project

References (5)

https://github.com/patriksimek/vm2/commit/d9a1fde8ec5a5a9c9e5a69bf91d703950859d7...
https://github.com/patriksimek/vm2/releases/tag/v3.10.0
Exploit https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5
Exploit https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5
https://security.netapp.com/advisory/ntap-20241108-0002/
45
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 8/34 · Low
Exposure 5/34 · Minimal