CVE-2023-29017 | vm2 is a sandbox that can run untrusted code with whiteliste… | CVSS 10.0 CRITICAL

Description

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.

Metadata

CVE ID: CVE-2023-29017
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2023-03-29 17:39 UTC
Published: 2023-04-06 19:18 UTC
Last updated: 2025-02-10 16:10 UTC
Primary CWE: CWE-913
CWE-913: Improper Control of Dynamically-Managed Code Resour…
Vendor / Product: patriksimek / vm2
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
patriksimek	vm2	—	< 3.9.15

Weakness (CWE)

CWE	Source	Description
CWE-913	cna	CWE-913: Improper Control of Dynamically-Managed Code Resources

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (4)

https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv
https://github.com/patriksimek/vm2/issues/515 https://github.com/patriksimek/vm2/issues/515
https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50 https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50
https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d