Critical Vulnerabilities in vm2 Library

Published on 20 Apr 2023

vm2 has released security updates to address critical vulnerabilities (CVE-2023-29199 and CVE-2023-30547) in vm2 JavaScript library. Both vulnerabilities have a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.

Successful exploitation of the vulnerabilities could allow an unauthorised attacker to bypass the sandbox protections and perform remote code execution (RCE) on the host machine running the sandbox.

CVE-2023-29199 affects vm2 versions up to 3.9.15, while CVE-2023-30547 affects vm2 versions up to 3.9.16.

Users and administrators of affected product versions are advised to update to the latest versions immediately.

More information is available here:
https://www.bleepingcomputer.com/news/security/new-sandbox-escape-poc-exploit-available-for-vm2-library-patch-now/
https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985
https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m
Tags
Alerts Alerts & Advisories
Share