Main Vulnerability Database Vulnerabilities #VU79504

Security features bypass in vm2 - CVE-2023-37903

Published: August 15, 2023

Vulnerability identifier: #VU79504

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U/U:Green

CVE-ID: CVE-2023-37903

CWE-ID: CWE-254

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Patrik Simek

Affected software:
vm2

Detailed vulnerability description

The vulnerability allows an attacker to bypass implemented security restrictions.

The vulnerability exists due to unspecified error. An attacker with code execution primitive inside the context of vm2 sandbox can use the Node.js custom inspect function to escape the sandbox and run arbitrary code.

How to mitigate CVE-2023-37903

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources

https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4

Security features bypass in vm2 - CVE-2023-37903

Detailed vulnerability description

How to mitigate CVE-2023-37903

Sources

Please verify you're human