vm2 Sandbox Escape vulnerability

🗓️ 13 Jul 2023 17:01:58Reported by GitHub Advisory DatabaseType

github🔗 github.com👁 327 Views

vm2 Sandbox Escape vulnerability in Node.js up to 3.9.1

Reporter	Title	Published	Views	Family All 25
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise is vulnerable to a remote attack and a denial of service due to Node.js modules protobuf.js, vm2 and word-wrap [CVE-2023-36665, CVE-2023-37903, CVE-2023-37466 and CVE-2023-26115]	11 Sep 202316:26	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container operands that use the Box or Snowflake connectors are vulnerable to arbitrary code execution due to [CVE-2023-37466], [CVE-2023-37903]	24 Aug 202315:07	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Instana Observability for Synthetic PoP is affected by vulnerabilities in vm2	15 Mar 202413:58	–	ibm
GithubExploit	Exploit for OS Command Injection in Vm2_Project Vm2	5 Nov 202311:23	–	githubexploit
Circl	CVE-2023-37903	5 Nov 202311:27	–	circl
CNNVD	vm2 操作系统命令注入漏洞	21 Jul 202300:00	–	cnnvd
CVE	CVE-2023-37903	21 Jul 202319:42	–	cve
Cvelist	CVE-2023-37903 Sandbox Escape in vm2	21 Jul 202319:42	–	cvelist
Github Security Blog	vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE	29 May 202617:50	–	github
NVD	CVE-2023-37903	21 Jul 202320:15	–	nvd

Vulners

Node

vm2_project vm2Range≤3.9.19npm

Source	Link
github	www.github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4
nvd	www.nvd.nist.gov/vuln/detail/CVE-2023-37903
security	www.security.netapp.com/advisory/ntap-20230831-0007
security	www.security.netapp.com/advisory/ntap-20241108-0002
github	www.github.com/advisories/GHSA-g644-9gfx-q4q4

04 Nov 2025 16:44Current

7.2High risk

Vulners AI Score7.2

CVSS 3.19.8 - 10

EPSS0.40092