Refine your search
2 vulnerabilities found for by vm2_project
CVE-2023-37903 (GCVE-0-2023-37903)
Vulnerability from cvelistv5
Published
2023-07-21 19:42
Modified
2025-11-03 21:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| patriksimek | vm2 |
Version: <= 3.9.19 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:48:55.029Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230831-0007/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241108-0002/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "vm2",
"vendor": "patriksimek",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.9.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-31T18:06:31.120Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230831-0007/"
}
],
"source": {
"advisory": "GHSA-g644-9gfx-q4q4",
"discovery": "UNKNOWN"
},
"title": "Sandbox Escape in vm2"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-37903",
"datePublished": "2023-07-21T19:42:09.346Z",
"dateReserved": "2023-07-10T17:51:29.610Z",
"dateUpdated": "2025-11-03T21:48:55.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-37466 (GCVE-0-2023-37466)
Vulnerability from cvelistv5
Published
2023-07-13 23:17
Modified
2025-11-03 21:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| patriksimek | vm2 |
Version: <= 3.9.19 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:48:53.572Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241108-0002/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37466",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T17:36:22.731709Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T14:51:16.362Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vm2",
"vendor": "patriksimek",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.9.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-15T17:16:58.315Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5"
}
],
"source": {
"advisory": "GHSA-cchq-frgv-rjh5",
"discovery": "UNKNOWN"
},
"title": "vm2 Sandbox Escape vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-37466",
"datePublished": "2023-07-13T23:17:51.434Z",
"dateReserved": "2023-07-06T13:01:36.997Z",
"dateUpdated": "2025-11-03T21:48:53.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}