CRITICAL 9.8
GHSA-7jxr-cg7f-gpgv
vm2 vulnerable to sandbox escape
Details
vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors.
- vm2 version: ~3.9.14 - Node version: 18.15.0, 19.8.1, 17.9.1
### Impact A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
### Patches This vulnerability was patched in the release of version `3.9.15` of `vm2`.
### Workarounds None.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2023-29017 [ADVISORY]
- https://github.com/patriksimek/vm2/issues/515 [WEB]
- https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50 [WEB]
- https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d [WEB]
- https://github.com/patriksimek/vm2 [PACKAGE]