CVE-2023-29199
Published: 14 April 2023
Summary
CVE-2023-29199 is a critical-severity Improper Control of Dynamically-Managed Code Resources (CWE-913) vulnerability in Vm2 Project Vm2. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is present in the source code transformer exception sanitization logic of the vm2 JavaScript sandbox library in versions up to 3.9.15. It stems from a flaw that permits bypass of the handleException() routine, resulting in leakage of unsanitized host exceptions that can be leveraged to break out of the sandbox. The issue is tracked under CWE-913 and carries a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can supply crafted input to a vm2-protected application and exploit the exception handling weakness to escape the sandbox, ultimately executing arbitrary code with the privileges of the host process. This grants full host-level remote code execution without requiring user interaction or prior credentials.
The maintainers addressed the issue in vm2 release 3.9.16 via a targeted commit that strengthens exception sanitization. Security advisories and the associated GitHub issue recommend immediate upgrade to the patched version; the fix is also documented in the project’s security advisory GHSA-xj72-wvfv-8985.
The EPSS probability reached a peak of 0.3136 before receding to its current value of 0.2497, indicating moderate ongoing exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1428
Vulnerability details
There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code…
more
in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.16` of `vm2`.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring explicit authorization and ongoing control of mobile code implements proper management of dynamically loaded code resources.