CVE-2023-37903

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-37903

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-37903.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-37903

Aliases

GHSA-g644-9gfx-q4q4

Related

GHSA-g644-9gfx-q4q4

Published

2023-07-21T20:15:16Z

Modified

2025-01-14T11:49:47.619034Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.

References

Affected packages

Git / github.com/patriksimek/vm2

Affected ranges

Type: GIT
Repo: https://github.com/patriksimek/vm2
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

1663f231ec02db473ed5b743e3b91b8a2ffc7982

Affected versions

3.*

3.9.10

3.9.11

3.9.12

3.9.13

3.9.14

3.9.15

3.9.16

3.9.17

3.9.18

3.9.19

3.9.3

3.9.4

3.9.5

3.9.6

3.9.7

3.9.8

3.9.9

v3.*

v3.9.0

v3.9.1

v3.9.2