Cyber Resilience

CVE-2023-37466

CriticalPublic PoCRCE

Published: 14 July 2023

Published
14 July 2023
Modified
05 January 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0493 89.8th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-37466 is a critical-severity Code Injection (CWE-94) vulnerability in Vm2 Project Vm2. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 10.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

vm2 is a sandbox library for isolating untrusted JavaScript code in Node.js. Versions up to 3.9.19 contain a flaw in Promise handler sanitization that can be bypassed using the @@species accessor property. The issue is tracked as CWE-94 and carries a CVSS score of 9.8, enabling escape from the sandbox to execute arbitrary code within the vm2 context. The project has been discontinued and is explicitly not recommended for production use.

An unauthenticated remote attacker can supply crafted JavaScript that triggers the bypass, achieving code execution inside the sandbox without user interaction. Successful exploitation grants the attacker the same privileges as the sandboxed code, which may include access to the underlying Node.js runtime depending on how vm2 is deployed.

The official patch is included in release 3.10.0, accompanied by a commit that addresses the sanitization logic. Security advisories from the vm2 repository and NetApp recommend upgrading immediately and note that no further maintenance will be provided for the library.

EPSS scores have remained modest, with a peak of 0.0682 and a current value of 0.0493.

EU & UK References

Vulnerability details

vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be…

more

bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox. Version 3.10.0 contains a patch for the issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vm2 project
vm2
≤ 3.9.19

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References