10
CVE-2023-37466
- EPSS 2.34%
- Veröffentlicht 14.07.2023 00:15:09
- Zuletzt bearbeitet 05.01.2026 22:15:46
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Loginvm2 Sandbox Escape vulnerability
vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox. Version 3.10.0 contains a patch for the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Vm2 Project ≫ Vm2 SwPlatformnode.js Version <= 3.9.19
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.34% | 0.814 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 10 | 3.9 | 6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
| security-advisories@github.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5
https://security.netapp.com/advisory/ntap-20241108-0002/
https://github.com/patriksimek/vm2/commit/d9a1fde8ec5a5a9c9e5a69bf91d703950859d744
https://github.com/patriksimek/vm2/releases/tag/v3.10.0