Vulnerability DatabaseCVE-2023-29017
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-29017
April 06, 2023
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.
Related ResourcesĀ (6)
https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50
https://github.com/patriksimek/vm2/issues/515
https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv
https://nvd.nist.gov/vuln/detail/CVE-2023-29017
https://github.com/patriksimek/vm2
https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d
Do you need more information?
Contact Us
CVSS v4
Base Score:
10
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
10
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Control of Dynamically-Managed Code Resources
CWE-913
EPSS
Base Score:
76.98