SB2023081515 - Security restrictions bypass in vm2
Published: August 15, 2023 Updated: May 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Security features bypass (CVE-ID: CVE-2023-37903)
CWE-ID: CWE-254 - Security Features
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U/U:Green
The vulnerability allows an attacker to bypass implemented security restrictions.
The vulnerability exists due to unspecified error. An attacker with code execution primitive inside the context of vm2 sandbox can use the Node.js custom inspect function to escape the sandbox and run arbitrary code.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.