CVE-2023-37466

Published: Jul 14, 2023Modified: Jan 5, 2026

10.0

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 6.0

Source: NVD

Description

vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox. Version 3.10.0 contains a patch for the issue.

Affected (1)

Products: Vm2 Project: Vm2

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Vm2 Project Vm2	Up to 3.9.19

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (5)

https://github.com/patriksimek/vm2/commit/d9a1fde8ec5a5a9c9e5a69bf91d703950859d744

Source: security-advisories@github.com

https://github.com/patriksimek/vm2/releases/tag/v3.10.0

Source: security-advisories@github.com

https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

https://security.netapp.com/advisory/ntap-20241108-0002/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.