Cyber Resilience

CVE-2023-29017

CriticalPublic PoC

Published: 06 April 2023

Published
06 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.7496 98.9th percentile
Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29017 is a critical-severity Improper Control of Dynamically-Managed Code Resources (CWE-913) vulnerability in Vm2 Project Vm2. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

vm2 is a JavaScript sandbox used to execute untrusted code while restricting access to a whitelist of Node.js built-in modules. The vulnerability, tracked as CVE-2023-29017, affects all versions prior to 3.9.15 and stems from improper handling of host objects passed to Error.prepareStackTrace during unhandled asynchronous errors. This flaw is assigned CWE-913 and carries a CVSS 3.1 base score of 10.0, reflecting its critical severity.

An attacker able to supply code to the sandbox can trigger the mishandling condition to escape the vm2 isolation boundary, obtaining arbitrary code execution on the underlying host system. Exploitation requires no authentication or user interaction and can be performed over the network, making any application that embeds an affected vm2 instance directly exposed.

The issue was resolved in vm2 3.9.15 by a commit that corrects the stack-trace handling path. The accompanying GitHub Security Advisory and issue tracker entries state there are no known workarounds, so the only mitigation is to upgrade to the patched release.

EPSS for the CVE reached a peak of 0.7944 and currently stands at 0.7496 after receding, indicating sustained and material interest in exploitation following disclosure.

EU & UK References

Vulnerability details

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the…

more

sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vm2 project
vm2
≤ 3.9.15

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-913

Requiring explicit authorization and ongoing control of mobile code implements proper management of dynamically loaded code resources.

References