GHSA-g644-9gfx-q4q4
vm2 Sandbox Escape vulnerability
Details
In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code.
### Impact Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.
### Patches None.
### Workarounds None.
### References PoC is to be disclosed on or after the 5th of September.
### Similarity with [CVE-2023-37466](https://nvd.nist.gov/vuln/detail/CVE-2023-37466) While this advisory might look similar to [CVE-2023-37466](https://nvd.nist.gov/vuln/detail/CVE-2023-37466), it is a completely different way of escaping the sandbox.
### For more information If you have any questions or comments about this advisory:
- Open an issue in [VM2](https://github.com/patriksimek/vm2)
Thanks to [Xion](https://twitter.com/0x10n) (SeungHyun Lee) of [KAIST Hacking Lab](https://kaist-hacking.github.io/) for disclosing this vulnerability.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for vm2 (npm). Pin to a known-safe version or switch to an alternative.
References
- https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2023-37903 [ADVISORY]
- https://github.com/patriksimek/vm2 [PACKAGE]
- https://security.netapp.com/advisory/ntap-20230831-0007 [WEB]
- https://security.netapp.com/advisory/ntap-20241108-0002 [WEB]