Vm2 Security Vulnerabilities and Issues — Vm2 CVE List

Lucene search

Vm2 ProjectVm2

7 matches found

CVE•added 2023/04/14 7:15 p.m.•412 views

CVE-2023-29199

There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass handleException() and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor...

10CVSS9.8AI score0.34502EPSS

CVE•added 2023/04/06 8:15 p.m.•179 views

CVE-2023-29017

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code exe...

10CVSS10AI score0.79898EPSS

CVE•added 2023/04/17 10:15 p.m.•178 views

CVE-2023-30547

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside handleException() which can be used to escape the sandbox ...

10CVSS9.5AI score0.84615EPSS

CVE•added 2023/05/15 8:15 p.m.•151 views

CVE-2023-32314

vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of Proxy. As a result a threat actor can bypass the sandbox p...

10CVSS9.8AI score0.67965EPSS

CVE•added 2023/07/14 12:15 a.m.•105 views

CVE-2023-37466

vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed with the @@species accessor property a...

10CVSS10AI score0.04083EPSS

CVE•added 2023/07/21 8:15 p.m.•93 views

CVE-2023-37903

vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside ...

10CVSS9.9AI score0.35568EPSS

CVE•added 2023/05/15 8:15 p.m.•59 views

CVE-2023-32313

vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node inspect method and edit options for console.log. As a result a threat actor can edit options for the console.log command. This vul...

5.3CVSS7.2AI score0.00653EPSS