GHSA-g644-9gfx-q4q4

Suggest an improvement
Source
https://github.com/advisories/GHSA-g644-9gfx-q4q4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-g644-9gfx-q4q4/GHSA-g644-9gfx-q4q4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-g644-9gfx-q4q4
Aliases
Published
2023-07-13T17:01:58Z
Modified
2023-11-08T04:13:04.005297Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
vm2 Sandbox Escape vulnerability
Details

In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code.

Impact

Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.

Patches

None.

Workarounds

None.

References

PoC is to be disclosed on or after the 5th of September.

Similarity with CVE-2023-37466

While this advisory might look similar to CVE-2023-37466, it is a completely different way of escaping the sandbox.

For more information

If you have any questions or comments about this advisory:

  • Open an issue in VM2

Thanks to Xion (SeungHyun Lee) of KAIST Hacking Lab for disclosing this vulnerability.

References

Affected packages

npm / vm2

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
3.9.19