Sandbox escape in vm2 for Notde.js
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2023-29199 |
| CWE-ID | CWE-913 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
vm2 Web applications / Modules and components for CMS |
| Vendor | Patrik Simek |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Improper Control of Dynamically-Managed Code Resources
EUVDB-ID: #VU75366
Risk: Medium
CVSSv4.0: 8.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/U:Green]
CVE-ID: CVE-2023-29199
CWE-ID:
CWE-913 - Improper Control of Dynamically-Managed Code Resources
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to an error within the source code transformer. A remote user can bypass handleException() and leak unsanitized host exceptions. The obtain information can be used to escape the sandbox and run arbitrary code in host context.
MitigationInstall updates from vendor's website.
Vulnerable software versionsvm2: 3.9.0 - 3.9.15
CPE2.3- cpe:2.3:a:patriksimek:vm2:3.9.0:*:*:*:*:nodejs:*:*
- cpe:2.3:a:patriksimek:vm2:3.9.1:*:*:*:*:nodejs:*:*
- cpe:2.3:a:patriksimek:vm2:3.9.2:*:*:*:*:nodejs:*:*
https://github.com/patriksimek/vm2/releases/tag/3.9.16
https://github.com/patriksimek/vm2/issues/516
https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985
https://github.com/patriksimek/vm2/commit/24c724daa7c09f003e556d7cd1c7a8381cb985d7
https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
