Home > Vulnerability Database > CVE-2023-29017

Mend.io Vulnerability Database

CVE-2023-29017

Good to know:

Date: April 6, 2023

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.

Language: JS

Severity Score

9.8

Related Resources (6)

Url: https://github.com/patriksimek/vm2/issues/515

Url: https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d

Url: https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-29017

Url: https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv

Url: https://www.mend.io/vulnerability-database/CVE-2023-29017

Severity Score

9.8

Weakness Type (CWE)

Improper Control of Dynamically-Managed Code Resources

CWE-913

Top Fix

Upgrade Version

Upgrade to version vm2 - 3.9.15

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-29017

Good to know:

Date: April 6, 2023

Language: JS

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?