Sandbox escape in vm2 for Notde.js
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2023-30547 |
| CWE-ID | CWE-74 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
vm2 Web applications / Modules and components for CMS |
| Vendor | Patrik Simek |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Code injection
EUVDB-ID: #VU75367
Risk: Medium
CVSSv4.0: 8.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/U:Green]
CVE-ID: CVE-2023-30547
Exploit availability: Yes
DescriptionThe vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to an error in exception sanitization. A remote user can raise an unsanitized host exception inside "handleException()", which can be used to escape the sandbox and run arbitrary code in host context.
MitigationInstall updates from vendor's website.
Vulnerable software versionsvm2: 3.9.0 - 3.9.16
CPE2.3- cpe:2.3:a:patriksimek:vm2:3.9.0:*:*:*:*:nodejs:*:*
- cpe:2.3:a:patriksimek:vm2:3.9.1:*:*:*:*:nodejs:*:*
- cpe:2.3:a:patriksimek:vm2:3.9.2:*:*:*:*:nodejs:*:*
https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5
https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049
https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m
https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
