CRITICAL🇵🇱 Wersja polska

CVE-2023-29017

CVSS 10.0v3.1pub. 2023-04-06upd. 2024-11-21

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Vm2 Project Vm2

    APP
    Vm2 Project
    < 3.9.15
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-44005CRITICAL10.0PL ✓ten sam produkt

vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)

CVE-2026-44006CRITICAL10.0PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez BaseHandler.getPrototypeOf (RCE)

CVE-2026-43997CRITICAL10.0PL ✓ten sam produkt

Ucieczka z sandboxa w bibliotece vm2 dla Node.js (RCE)

CVE-2026-43999CRITICAL9.9PL ✓ten sam produkt

vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'

CVE-2026-44007CRITICAL9.1PL ✓ten sam produkt

vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)