Cyber Resilience

CVE-2023-29199

CriticalPublic PoC

Published: 14 April 2023

Published
14 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2497 96.3th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29199 is a critical-severity Improper Control of Dynamically-Managed Code Resources (CWE-913) vulnerability in Vm2 Project Vm2. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability is present in the source code transformer exception sanitization logic of the vm2 JavaScript sandbox library in versions up to 3.9.15. It stems from a flaw that permits bypass of the handleException() routine, resulting in leakage of unsanitized host exceptions that can be leveraged to break out of the sandbox. The issue is tracked under CWE-913 and carries a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker can supply crafted input to a vm2-protected application and exploit the exception handling weakness to escape the sandbox, ultimately executing arbitrary code with the privileges of the host process. This grants full host-level remote code execution without requiring user interaction or prior credentials.

The maintainers addressed the issue in vm2 release 3.9.16 via a targeted commit that strengthens exception sanitization. Security advisories and the associated GitHub issue recommend immediate upgrade to the patched version; the fix is also documented in the project’s security advisory GHSA-xj72-wvfv-8985.

The EPSS probability reached a peak of 0.3136 before receding to its current value of 0.2497, indicating moderate ongoing exploitation interest after disclosure.

EU & UK References

Vulnerability details

There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code…

more

in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.16` of `vm2`.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vm2 project
vm2
≤ 3.9.16

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-913

Requiring explicit authorization and ongoing control of mobile code implements proper management of dynamically loaded code resources.

References