← Volver a CVEs

CVE-2023-37903

CRITICAL

9.8

Descripcion

vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.

Detalles CVE

Puntuacion CVSS v3.19.8

SeveridadCRITICAL

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado7/21/2023

Ultima modificacion11/3/2025

Fuentenvd

Avistamientos honeypot0

Productos afectados

vm2_project:vm2

Debilidades (CWE)

CWE-78CWE-78

Referencias

https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4(security-advisories@github.com)

https://security.netapp.com/advisory/ntap-20230831-0007/(security-advisories@github.com)

https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4(af854a3a-2127-422b-91ae-364da2661108)

https://security.netapp.com/advisory/ntap-20230831-0007/(af854a3a-2127-422b-91ae-364da2661108)

https://security.netapp.com/advisory/ntap-20241108-0002/(af854a3a-2127-422b-91ae-364da2661108)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.