Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1nNjQ0LTlnZngtcTRxNM4AA0sL

vm2 Sandbox Escape vulnerability

In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code.

Impact

Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.

Patches

None.

Workarounds

None.

References

PoC is to be disclosed on or after the 5th of September.

Similarity with CVE-2023-37466

While this advisory might look similar to CVE-2023-37466, it is a completely different way of escaping the sandbox.

For more information

If you have any questions or comments about this advisory:

• Open an issue in VM2

Thanks to Xion (SeungHyun Lee) of KAIST Hacking Lab for disclosing this vulnerability.

Permalink: https://github.com/advisories/GHSA-g644-9gfx-q4q4
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nNjQ0LTlnZngtcTRxNM4AA0sL
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 10 months ago
Updated: 6 months ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-g644-9gfx-q4q4, CVE-2023-37903
References:

• https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4
• https://nvd.nist.gov/vuln/detail/CVE-2023-37903
• https://security.netapp.com/advisory/ntap-20230831-0007/
• https://github.com/advisories/GHSA-g644-9gfx-q4q4

Repository: https://github.com/patriksimek/vm2
Blast Radius: 46.2

Affected Packages