Sandbox escape in vm2 for Notde.js
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2023-29017 |
| CWE-ID | CWE-913 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
vm2 Web applications / Modules and components for CMS |
| Vendor | Patrik Simek |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Improper Control of Dynamically-Managed Code Resources
EUVDB-ID: #VU74606
Risk: High
CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2023-29017
CWE-ID:
CWE-913 - Improper Control of Dynamically-Managed Code Resources
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escape sandbox restrictions.
The vulnerability exists due to improper handling of host objects passed to "Error.prepareStackTrace" in case of unhandled async errors. A remote attacker can pass specially crafted input to the application, escape sandbox restrictions and execute arbitrary code on the host.
MitigationInstall updates from vendor's website.
Vulnerable software versionsvm2: 3.9.0 - 3.9.14
External linkshttp://github.com/patriksimek/vm2/issues/515
http://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50
http://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d
http://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
