CVE-2023-29017 – CVE-2023-29017 is a critical sandbox escape vul... (How to Fix)

Q: What is the severity of CVE-2023-29017?

CVE-2023-29017 has a CVSS score of 10.0 (CRITICAL). CVE-2023-29017 is a critical sandbox escape vulnerability in vm2 that allows attackers to bypass sandbox protections and execute arbitrary code on the host system. This affects any application using vm2 versions before 3.9.15 to run untrusted JavaScript code. The vulnerability specifically involves improper handling of host objects in Error.prepareStackTrace during unhandled async errors.

📋 TL;DR

CVE-2023-29017 is a critical sandbox escape vulnerability in vm2 that allows attackers to bypass sandbox protections and execute arbitrary code on the host system. This affects any application using vm2 versions before 3.9.15 to run untrusted JavaScript code. The vulnerability specifically involves improper handling of host objects in Error.prepareStackTrace during unhandled async errors.

💻 Affected Systems

Products:

vm2

Versions: All versions before 3.9.15

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using vm2 to execute untrusted JavaScript code is vulnerable regardless of configuration.

📦 What is this software?

Vm2 by Vm2 Project

View all CVEs affecting Vm2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete host system compromise with remote code execution, allowing attackers to execute arbitrary commands, access sensitive data, and pivot to other systems.

🟠

Likely Case

Full sandbox escape leading to execution of malicious code on the host, potentially resulting in data theft, system compromise, or lateral movement.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are applied, though sandbox escape still represents significant risk.

🌐 Internet-Facing: HIGH - Applications exposing vm2 sandbox functionality to untrusted users are directly vulnerable to exploitation.

🏢 Internal Only: MEDIUM - Internal applications using vm2 with untrusted code inputs remain vulnerable, though attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept code is publicly available in GitHub gists and security advisories, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.15

Vendor Advisory: https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv

Restart Required: Yes

Instructions:

1. Update vm2 dependency to version 3.9.15 or later. 2. Run 'npm update vm2' or 'yarn upgrade vm2'. 3. Restart the application to ensure the updated version is loaded.

🔧 Temporary Workarounds

No known workarounds

all

The vendor advisory states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

Immediately isolate affected systems from untrusted networks and users
Implement strict input validation and monitoring for any vm2 usage patterns

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list vm2' to see installed version. If version is below 3.9.15, the system is vulnerable.

Check Version:

npm list vm2 | grep vm2

Verify Fix Applied:

After updating, verify vm2 version is 3.9.15 or higher using 'npm list vm2' or checking package.json.

📡 Detection & Monitoring

Log Indicators:

Unusual process spawns from Node.js applications
Sandbox escape attempts in application logs
Error.prepareStackTrace related errors

Network Indicators:

Unexpected outbound connections from Node.js processes
Command and control traffic from application servers

SIEM Query:

process.name:node.exe AND (process.args:*vm2* OR process.args:*sandbox*) AND (process.args:*spawn* OR process.args:*exec*)

📊 Metadata

CVE ID: CVE-2023-29017

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-913

Published: April 6, 2023

Last Updated: November 21, 2024

🔗 References

https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d Exploit
https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50 Patch
https://github.com/patriksimek/vm2/issues/515 Exploit,Issue Tracking
https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv Vendor Advisory
https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d Exploit
https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50 Patch
https://github.com/patriksimek/vm2/issues/515 Exploit,Issue Tracking
https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29017, you might also want to check these: