← Zuruck zu CVEs

CVE-2023-37466

CRITICAL

9.8

Beschreibung

vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox. Version 3.10.0 contains a patch for the issue.

CVE Details

CVSS v3.1 Bewertung9.8

SchweregradCRITICAL

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienNONE

BenutzerinteraktionNONE

Veroffentlicht7/14/2023

Zuletzt geandert1/5/2026

Quellenvd

Honeypot-Sichtungen0

Betroffene Produkte

vm2_project:vm2

Schwachen (CWE)

CWE-94CWE-94

Referenzen

https://github.com/patriksimek/vm2/commit/d9a1fde8ec5a5a9c9e5a69bf91d703950859d744(security-advisories@github.com)

https://github.com/patriksimek/vm2/releases/tag/v3.10.0(security-advisories@github.com)

https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5(security-advisories@github.com)

https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5(af854a3a-2127-422b-91ae-364da2661108)

https://security.netapp.com/advisory/ntap-20241108-0002/(af854a3a-2127-422b-91ae-364da2661108)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.