Home > Vulnerability Database > CVE-2023-32314

Mend.io Vulnerability Database

CVE-2023-32314

Good to know:

Date: May 15, 2023

vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of "Proxy". As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version "3.9.18" of "vm2". Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: JS

Severity Score

9.8

Related Resources (7)

Url: https://github.com/patriksimek/vm2/releases/tag/3.9.18

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-32314

Url: https://github.com/patriksimek/vm2

Url: https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf

Url: https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5

Url: https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac

Url: https://www.mend.io/vulnerability-database/CVE-2023-32314

Severity Score

9.8

Weakness Type (CWE)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version vm2 - 3.9.18

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-32314

Good to know:

Date: May 15, 2023

Language: JS

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?