Vulnerability Description
vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox. Version 3.10.0 contains a patch for the issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vm2 Project | Vm2 | <= 3.9.19 |
Related Weaknesses (CWE)
References
- https://github.com/patriksimek/vm2/commit/d9a1fde8ec5a5a9c9e5a69bf91d703950859d7
- https://github.com/patriksimek/vm2/releases/tag/v3.10.0
- https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5ExploitVendor Advisory
- https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5ExploitVendor Advisory
- https://security.netapp.com/advisory/ntap-20241108-0002/
FAQ
What is CVE-2023-37466?
CVE-2023-37466 is a vulnerability with a CVSS score of 9.8 (CRITICAL). vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for version...
How severe is CVE-2023-37466?
CVE-2023-37466 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-37466?
Check the references section above for vendor advisories and patch information. Affected products include: Vm2 Project Vm2.