CVE-2023-30547
Published: 17 April 2023
Summary
CVE-2023-30547 is a critical-severity Injection (CWE-74) vulnerability in Vm2 Project Vm2. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
vm2 is a JavaScript sandbox for safely executing untrusted code while restricting access to Node.js built-in modules. A flaw in exception sanitization affects all versions up to and including 3.9.16, allowing an attacker to trigger an unsanitized host exception inside the handleException() routine. Successful exploitation escapes the sandbox and grants arbitrary code execution in the host context. The issue is tracked as CVE-2023-30547 with a CVSS v3.1 score of 9.8 and was fixed in version 3.9.17.
An unauthenticated remote attacker can supply malicious code to any application that uses a vulnerable vm2 instance to run untrusted input. Because the sandbox boundary can be bypassed, the attacker obtains full host privileges, including the ability to read or modify data and execute operating-system commands. The vulnerability maps to CWE-74 and requires no user interaction or special network conditions.
The GitHub Security Advisory GHSA-ch3r-j5x3-6q2m and the accompanying patches confirm there are no workarounds; the only recommended mitigation is to upgrade immediately to vm2 3.9.17. The current EPSS score of 0.8368 (peak 0.8485) indicates sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1268
Vulnerability details
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can…
more
be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.