cbcvebase.
CVE-2023-30547
published 2023-04-17

CVE-2023-30547: vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for…

PriorityP181critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
72.09%
99.4th percentile
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.

Affected

3 ranges
VendorProductVersion rangeFixed in
patriksimekvm2< 3.9.173.9.17
vm2_projectvm2<= 3.9.16
vm2_projectvm2>= 0 < 3.9.173.9.17

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2023-30547 is exploitable in vm2 versions up to and including 3.9.16 via unsanitized host exception raised inside handleException(); upgrade to 3.9.17 to remediate
  • The attack vector is exception sanitization bypass: detect attempts to trigger unsanitized host exceptions crossing the sandbox boundary in vm2's handleException() function
  • ·No workarounds exist for CVE-2023-30547; the only mitigation is upgrading vm2 to version 3.9.17 or later
  • ·Red Hat explicitly states that mitigation options for this CVE do not meet their Product Security criteria; affected package includes rhacm2/console-rhel8 (Red Hat Advanced Cluster Management for Kubernetes 2)

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.