cbcvebase.
CVE-2023-37466
published 2026-05-04

CVE-2023-37466: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to…

PriorityP271critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
2.34%
81.5th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.

Affected

8 ranges
VendorProductVersion rangeFixed in
ansible-automation-platformautomation-portal
hoppscotchcli>= 0.5.0 < 0.8.00.8.0
patriksimekvm2< 3.10.53.10.5
rhdhrhdh-hub-rhel9
vm2_projectvm2< 3.10.53.10.5
vm2_projectvm2<= 3.9.19
vm2_projectvm2>= 0 < 3.10.03.10.0
vm2_projectvm20 – 3.9.19

Detection & IOCsextracted from sources · hover to see the quote

commandc.constructor('return process')().mainModule.require('child_process')
commandchildProcess.execSync('${command}')
  • Detect sandbox escape via Proxy getPrototypeOf trap triggering recursive stack overflow — attacker constructs a Proxy with a getPrototypeOf handler that calls a recursive stack() function, then catches the resulting error to extract the Function constructor and escape the vm2 sandbox.
  • Alert on vm2 versions <= 3.9.19 in Node.js environments — these versions are confirmed vulnerable to the sandbox escape leading to arbitrary/remote code execution.
  • Monitor for child_process.execSync calls originating from within a vm2 sandbox context — the exploit payload uses mainModule.require('child_process') followed by execSync to run OS commands on the host.
  • ·The fix introduced in vm2 v3.10.0 for CVE-2023-37466 is itself insufficient and bypassable — only v3.10.5 fully addresses the sandbox escape chain.
  • ·The vm2 project has been discontinued and should not be used in production regardless of patching status.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
ghsa10.0CRITICAL
osv10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.