CVE-2023-37903

Description

In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. ### Impact Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. ### Patches None. ### Workarounds None. ### References PoC is to be disclosed on or after the 5th of September. ### Similarity with [CVE-2023-37466](https://nvd.nist.gov/vuln/detail/CVE-2023-37466) While this advisory might look similar to [CVE-2023-37466](https://nvd.nist.gov/vuln/detail/CVE-2023-37466), it is a completely different way of escaping the sandbox. ### For more information If you have any questions or comments about this advisory: - Open an issue in [VM2](https://github.com/patriksimek/vm2) Thanks to [Xion](https://twitter.com/0x10n) (SeungHyun Lee) of [KAIST Hacking Lab](https://kaist-hacking.github.io/) for disclosing this vulnerability.

Affected packages (1)

• npm/vm2from 0, <= 3.9.19

CVSS scores

References (5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-37903
• PATCHhttps://github.com/patriksimek/vm2
• WEBhttps://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4
• WEBhttps://security.netapp.com/advisory/ntap-20230831-0007
• WEBhttps://security.netapp.com/advisory/ntap-20241108-0002