CVE-2023-30547
published 2023-04-17CVE-2023-30547: vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for…
PriorityP181critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
72.09%
99.4th percentile
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| patriksimek | vm2 | < 3.9.17 | 3.9.17 |
| vm2_project | vm2 | <= 3.9.16 | — |
| vm2_project | vm2 | >= 0 < 3.9.17 | 3.9.17 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2023-30547 is exploitable in vm2 versions up to and including 3.9.16 via unsanitized host exception raised inside handleException(); upgrade to 3.9.17 to remediate ↗
- →The attack vector is exception sanitization bypass: detect attempts to trigger unsanitized host exceptions crossing the sandbox boundary in vm2's handleException() function ↗
- ·No workarounds exist for CVE-2023-30547; the only mitigation is upgrading vm2 to version 3.9.17 or later ↗
- ·Red Hat explicitly states that mitigation options for this CVE do not meet their Product Security criteria; affected package includes rhacm2/console-rhel8 (Red Hat Advanced Cluster Management for Kubernetes 2) ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
vm2 Sandbox Escape vulnerability
osv·2023-04-20
CVE-2023-30547 [CRITICAL] vm2 Sandbox Escape vulnerability
vm2 Sandbox Escape vulnerability
There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context.
### Impact
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
### Patches
This vulnerability was patched in the release of version `3.9.17` of `vm2`.
### Workarounds
None.
### References
PoC - https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244
### For more information
If you have any questions or comments about this advisory:
- Open an issue in [VM2](https://github.com/patriksimek/vm2)
Thanks to [Xion](https://twitt
GHSA
vm2 Sandbox Escape vulnerability
ghsa·2023-04-20
CVE-2023-30547 [CRITICAL] CWE-74 vm2 Sandbox Escape vulnerability
vm2 Sandbox Escape vulnerability
There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context.
### Impact
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
### Patches
This vulnerability was patched in the release of version `3.9.17` of `vm2`.
### Workarounds
None.
### References
PoC - https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244
### For more information
If you have any questions or comments about this advisory:
- Open an issue in [VM2](https://github.com/patriksimek/vm2)
Thanks to [Xion](https://twitt
Red Hat
vm2: Sandbox Escape when exception sanitization
vendor_redhat·2023-04-17·CVSS 9.8
CVE-2023-30547 [CRITICAL] CWE-755 vm2: Sandbox Escape when exception sanitization
vm2: Sandbox Escape when exception sanitization
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.
A flaw was found in the vm2 sandbox. When exception handling is triggered, an unsanitized host is not managed properly. This issue may allow an attacker to bypass the sandbox protections, which can lead to remote code execution on the hypervisor ho
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Critical vm2 sandbox bug lets attackers execute code on hosts
blogs_bleepingcomputer·2026-05-06·CVSS 9.8
CVE-2026-26956 [CRITICAL] Critical vm2 sandbox bug lets attackers execute code on hosts
## Critical vm2 sandbox bug lets attackers execute code on hosts
## Bill Toulas
A critical vulnerability in the popular Node.js sandboxing library vm2 allows escaping the sandbox and executing arbitrary code on the host system.
The security issue is tracked as CVE-2026-26956 and has been confirmed to impact vm2 version 3.10.4, although earlier releases may also be vulnerable. Proof-of-concept (PoC) exploit code has been published.
In the security advisory, the maintainer says that the issue only impacts environments with Node.js 25 (confirmed on Node.js 25.6.1) that have enabled WebAssembly exception handling and JSTag support.
vm2 is an open-source Node.js library used to run untrusted JavaScript code inside a restricted sandbox environment. It is commonly employed by online coding p
Bleepingcomputer
Critical sandbox escape flaw found in popular vm2 NodeJS library
blogs_bleepingcomputer·2026-01-27·CVSS 9.8
CVE-2026-22709 [CRITICAL] Critical sandbox escape flaw found in popular vm2 NodeJS library
## Critical sandbox escape flaw found in popular vm2 NodeJS library
## Bill Toulas
A critical-severity vulnerability in the vm2 Node.js sandbox library, tracked as CVE-2026-22709, allows escaping the sandbox and executing arbitrary code on the underlying host system.
The open-source vm2 library creates a secure context to allow users to execute untrusted JavaScript code that does not have access to the filesystem.
vm2 has historically been seen in SaaS platforms that support user script execution, online code runners, chatbots, and open-source projects, being used in more than 200,000 projects on GitHub. The project was discontinued in 2023, though, due to repeated sandbox-escape vulnerabilities, and considered unsafe for running untrusted code.
Last October, maintainer Patrik Šimek d
https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2mhttps://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m
2023-04-17
Published