Description
### NVD
> vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.
CVSS details - 10
|CVSS3 metrics||
|:-|:-|
|Attack Vector|**Network**|
|Attack Complexity|**Low**|
|Privileges Required|**None**|
|User interaction|**None**|
|Scope|**Changed**|
|Confidentiality|**High**|
|Integrity|**High**|
|Availability|**High**|
References
[NVD - CVE-2023-30547](https://nvd.nist.gov/vuln/detail/CVE-2023-30547)[](https://nvd.nist.gov/vuln/detail/CVE-2023-30547)
[Ensure every catch block is protected · patriksimek/vm2@4b22e87 · GitHub](https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049)[](https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049)
[Handle host errors captured in Promises · patriksimek/vm2@f3db4de · GitHub](https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5)[](https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5)
[Sandbox Escape · Advisory · patriksimek/vm2 · GitHub](https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m)[](https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m)
[Sandbox Escape in vm2@3.9.16 · GitHub](https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244)[](https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244)
CVE–2023–30547
Vulnerability details
Description
### NVD > vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.CVSS details - 10
|CVSS3 metrics|| |:-|:-| |Attack Vector|**Network**| |Attack Complexity|**Low**| |Privileges Required|**None**| |User interaction|**None**| |Scope|**Changed**| |Confidentiality|**High**| |Integrity|**High**| |Availability|**High**|References
[NVD - CVE-2023-30547](https://nvd.nist.gov/vuln/detail/CVE-2023-30547)[](https://nvd.nist.gov/vuln/detail/CVE-2023-30547) [Ensure every catch block is protected · patriksimek/vm2@4b22e87 · GitHub](https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049)[](https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049) [Handle host errors captured in Promises · patriksimek/vm2@f3db4de · GitHub](https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5)[](https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5) [Sandbox Escape · Advisory · patriksimek/vm2 · GitHub](https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m)[](https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m) [Sandbox Escape in vm2@3.9.16 · GitHub](https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244)[](https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244)Related information
:pushpin: Remember! Check the changes to ensure they don't introduce any breaking changes.
:books: Read more about the CVE