CVE-2023-29017
Published: 06 April 2023
Summary
CVE-2023-29017 is a critical-severity Improper Control of Dynamically-Managed Code Resources (CWE-913) vulnerability in Vm2 Project Vm2. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
vm2 is a JavaScript sandbox used to execute untrusted code while restricting access to a whitelist of Node.js built-in modules. The vulnerability, tracked as CVE-2023-29017, affects all versions prior to 3.9.15 and stems from improper handling of host objects passed to Error.prepareStackTrace during unhandled asynchronous errors. This flaw is assigned CWE-913 and carries a CVSS 3.1 base score of 10.0, reflecting its critical severity.
An attacker able to supply code to the sandbox can trigger the mishandling condition to escape the vm2 isolation boundary, obtaining arbitrary code execution on the underlying host system. Exploitation requires no authentication or user interaction and can be performed over the network, making any application that embeds an affected vm2 instance directly exposed.
The issue was resolved in vm2 3.9.15 by a commit that corrects the stack-trace handling path. The accompanying GitHub Security Advisory and issue tracker entries state there are no known workarounds, so the only mitigation is to upgrade to the patched release.
EPSS for the CVE reached a peak of 0.7944 and currently stands at 0.7496 after receding, indicating sustained and material interest in exploitation following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1229
Vulnerability details
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the…
more
sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring explicit authorization and ongoing control of mobile code implements proper management of dynamically loaded code resources.