XmiliaH
commented
5 months ago Maybe you should have a look at https://github.com/patriksimek/vm2/issues/533
Closed MirzaHamza00 closed 5 months ago
XmiliaH
commented
5 months ago Maybe you should have a look at https://github.com/patriksimek/vm2/issues/533
I have received GitHub Dependabot notifications for my project.
In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code.
Impact Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.
Patches None.
Workarounds None.
References PoC is to be disclosed on or after the 5th of September.
Similarity with CVE-2023-37466 While this advisory might look similar to CVE-2023-37466, it is a completely different way of escaping the sandbox.
For more information If you have any questions or comments about this advisory:
Open an issue in VM2 Thanks to Xion (SeungHyun Lee) of KAIST Hacking Lab for disclosing this vulnerability.