CVE-2023-32314
Published: 15 May 2023
Summary
CVE-2023-32314 is a critical-severity Injection (CWE-74) vulnerability in Vm2 Project Vm2. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
vm2 is a JavaScript sandbox for safely executing untrusted code alongside Node.js built-in modules. CVE-2023-32314 is a sandbox-escape vulnerability present in all versions through 3.9.17 that stems from an unexpected host-object creation triggered by the ECMAScript Proxy specification. Successful exploitation allows an attacker to break out of the sandbox and obtain arbitrary code execution on the underlying host. The flaw received a CVSS 3.1 base score of 9.8.
An unauthenticated attacker can supply malicious JavaScript that runs inside a vm2 sandbox; by abusing the Proxy behavior the attacker can reach and manipulate host objects, ultimately spawning an operating-system process or otherwise executing code outside the sandbox. The attack requires only the ability to load code into the sandbox and needs no user interaction or special privileges.
The project’s security advisory and the 3.9.18 release notes state that the issue is resolved by upgrading to vm2 3.9.18; no workarounds are documented. The associated GitHub commit and proof-of-concept gist illustrate the Proxy misuse that was corrected.
EPSS scores for the CVE reached a peak of 0.7276 and currently stand at 0.6169, indicating sustained and material exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1640
Vulnerability details
vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification…
more
of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.