CVE-2023-32314 (Critical) detected in vm2-3.8.1.tgz

[mend-for-github-com[bot]]

CVE-2023-32314 - Critical Severity Vulnerability

Vulnerable Library - vm2-3.8.1.tgz

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!

Library home page: https://registry.npmjs.org/vm2/-/vm2-3.8.1.tgz

Path to dependency file: /backend/package.json

Path to vulnerable library: /backend/node_modules/vm2/package.json

Dependency Hierarchy: - :x: **vm2-3.8.1.tgz** (Vulnerable Library)

Found in HEAD commit: 50731d7b248d2728e4e5fda6648192e5a322f08c

Found in base branch: master

Vulnerability Details

vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2023-05-15

URL: CVE-2023-32314

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-whpj-8f3w-67p5

Release Date: 2023-05-15

Fix Resolution: 3.9.18

---

• [ ] Check this box to open an automated fix PR