CVE-2023-29017

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-29017

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-29017.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-29017

Aliases

GHSA-7jxr-cg7f-gpgv

Published

2023-04-06T19:18:34Z

Modified

2025-10-30T20:20:04.456338Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

vm2 Sandbox Escape vulnerability

Details

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.

Database specific

{
    "cwe_ids": [
        "CWE-913"
    ]
}

References

Affected packages

Git / github.com/patriksimek/vm2

Affected ranges

Type: GIT
Repo: https://github.com/patriksimek/vm2
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

115d1644b7308a5570cba58ec461ae61b96a583c

Affected versions

3.*

3.9.10

3.9.11

3.9.12

3.9.13

3.9.14

3.9.3

3.9.4

3.9.5

3.9.6

3.9.7

3.9.8

3.9.9

v3.*

v3.9.0

v3.9.1

v3.9.2