Lucene search
Veracode Vulnerability DatabaseVERACODE:40153HistoryApr 18, 2023 - 10:11 a.m.
Arbitrary Code Execution
2023-04-1810:11:59
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
15
arbitrary code execution
vm2
transformer.js
remote attackers
handleexception()
sandbox
host context
EPSS
0.017
Percentile
88.1%
vm2 is vulnerable to Arbitrary Code Execution. The vulnerability exists because the transformer function of transformer.js allows remote attackers to bypass handleException() and leak unsanitized host exceptions to escape the sandbox and run arbitrary code in the host context.
References
gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c
github.com/advisories/GHSA-xj72-wvfv-8985
github.com/patriksimek/vm2/commit/24c724daa7c09f003e556d7cd1c7a8381cb985d7
github.com/patriksimek/vm2/issues/516
github.com/patriksimek/vm2/releases/tag/3.9.16
github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985
Related
osv
osv
CVE-2023-29199
2023-04-14 19:15:09
vm2 Sandbox Escape vulnerability
2023-04-12 20:42:44
nvd
nvd
CVE-2023-29199
2023-04-14 19:15:09
openvas
openvas
vm2 < 3.9.16 Sandbox Escape Vulnerability
2023-05-02 00:00:00
prion
prion
Remote code execution
2023-04-14 19:15:00
cve
cve
CVE-2023-29199
2023-04-14 19:15:09
cvelist
cvelist
CVE-2023-29199 vm2 Sandbox escape vulnerability
2023-04-14 18:37:03
redhatcve
redhatcve
CVE-2023-29199
2023-04-17 15:32:14
github
github
vm2 Sandbox Escape vulnerability
2023-04-12 20:42:44
nessus
nessus
Node.js Module vm2 < 3.9.16 Sandbox Breakout
2023-09-14 00:00:00
ibm
ibm
Security Bulletin: Multiple Vulnerabilities in CloudPak for Watson AIOPs
2023-05-31 17:24:27
redhat
redhat
thn
thn
Critical Flaws in vm2 JavaScript Library Can Lead to Remote Code Execution
2023-04-19 04:53:00