All vulnerabilities
CVE-2023-29017
vm2 vulnerable to sandbox escape
Description
vm2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors.
- vm2 version: ~3.9.14
- Node version: 18.15.0, 19.8.1, 17.9.1
Impact
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
Patches
This vulnerability was patched in the release of version 3.9.15 of vm2.
Workarounds
None.
Patch Available
Fix available through Seal Security.
No upgrade required, protect your application instantly.
Fix without upgrading
Score
Severity
Ecosystem
JavaScript
Publish Date
April 7, 2023
Modified Date
November 7, 2023
Score Vector
Affected Versions
