Home > Vulnerability Database > CVE-2023-29199

Mend.io Vulnerability Database

CVE-2023-29199

Good to know:

Date: April 14, 2023

There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass "handleException()" and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version "3.9.16" of "vm2".

Language: JS

Severity Score

9.8

Related Resources (8)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-29199

Url: https://github.com/patriksimek/vm2/issues/516

Url: https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c

Url: https://github.com/patriksimek/vm2/releases/tag/3.9.16

Url: https://github.com/patriksimek/vm2

Url: https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985

Url: https://github.com/patriksimek/vm2/commit/24c724daa7c09f003e556d7cd1c7a8381cb985d7

Url: https://www.mend.io/vulnerability-database/CVE-2023-29199

Severity Score

9.8

Weakness Type (CWE)

Improper Control of Dynamically-Managed Code Resources

CWE-913

Top Fix

Upgrade Version

Upgrade to version vm2 - 3.9.16

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-29199

Good to know:

Date: April 14, 2023

Language: JS

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?