CVE-2023-37466

Exploit

EPSS 5.43%
Veröffentlicht 14.07.2023 00:15:09
Zuletzt bearbeitet 03.11.2025 22:16:23
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vm2 Project ≫ Vm2 SwPlatformnode.js Version <= 3.9.19

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	5.43%	0.897

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
security-advisories@github.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5

Vendor Advisory

Exploit

https://security.netapp.com/advisory/ntap-20241108-0002/

https://nvd.nist.gov/vuln/detail/CVE-2023-37466

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-37466

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-37466

EUVD