Vulnerability Description
vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vm2 Project | Vm2 | <= 3.9.19 |
Related Weaknesses (CWE)
References
- https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4Vendor Advisory
- https://security.netapp.com/advisory/ntap-20230831-0007/Third Party Advisory
- https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4Vendor Advisory
- https://security.netapp.com/advisory/ntap-20230831-0007/Third Party Advisory
- https://security.netapp.com/advisory/ntap-20241108-0002/
FAQ
What is CVE-2023-37903?
CVE-2023-37903 is a vulnerability with a CVSS score of 9.8 (CRITICAL). vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may re...
How severe is CVE-2023-37903?
CVE-2023-37903 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-37903?
Check the references section above for vendor advisories and patch information. Affected products include: Vm2 Project Vm2.