Login Sign Up

CVE-2023-29199

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in vm2's exception sanitization logic allows attackers to bypass sandbox protections and execute arbitrary code on the host system. It affects all applications using vm2 versions up to 3.9.15 for JavaScript sandboxing. Attackers can achieve remote code execution by exploiting this flaw.

💻 Affected Systems

Products:
  • vm2
Versions: All versions up to and including 3.9.15
Operating Systems: All operating systems running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using vm2 for sandboxing untrusted JavaScript code is vulnerable regardless of configuration.

📦 What is this software?

Vm2 by Vm2 Project

View all CVEs affecting Vm2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete host compromise allowing attackers to execute arbitrary code, access sensitive data, and pivot to other systems in the network.

🟠

Likely Case

Remote code execution on the host running the vulnerable vm2 sandbox, potentially leading to data theft, service disruption, or further network compromise.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and monitoring are in place, though sandbox escape still poses significant risk.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept code is publicly available in the GitHub advisory and gist references. The vulnerability is straightforward to exploit once understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.16

Vendor Advisory: https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985

Restart Required: Yes

Instructions:

1. Update vm2 dependency to version 3.9.16 or later. 2. Update package.json to specify 'vm2': '^3.9.16'. 3. Run 'npm update vm2' or 'yarn upgrade vm2'. 4. Restart the application to apply the patch.

🔧 Temporary Workarounds

Disable vm2 usage

all

Temporarily disable or remove vm2 sandbox functionality until patching is possible.

npm uninstall vm2
yarn remove vm2

Network isolation

all

Isolate systems using vm2 from internet access and restrict internal network connectivity.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate vulnerable systems
  • Apply additional monitoring and alerting for suspicious process creation or network activity

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules for vm2 version. If version is 3.9.15 or earlier, the system is vulnerable.

Check Version:

npm list vm2 | grep vm2

Verify Fix Applied:

Confirm vm2 version is 3.9.16 or later in package.json and verify the application restarts successfully.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process creation from Node.js applications
  • Error logs showing vm2 exception handling failures
  • Unexpected network connections from Node.js processes

Network Indicators:

  • Outbound connections from Node.js applications to unexpected destinations
  • Command and control traffic patterns

SIEM Query:

process.name:node.exe AND (process.args:*vm2* OR process.args:*sandbox*)

📊 Metadata

CVE ID: CVE-2023-29199
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-913
Published: April 14, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29199, you might also want to check these:

CVE-2023-29017 10.0

CVE-2023-29017 is a critical sandbox escape vulnerability in vm2 that allows attackers to bypass san...

Same vulnerability type (CWE-913)
CVE-2026-25049 9.9

This vulnerability allows authenticated users with workflow creation/modification permissions in n8n...

Same vulnerability type (CWE-913)
CVE-2020-15568 9.8

CVE-2020-15568 is a critical remote code execution vulnerability in TerraMaster TOS that allows atta...

Same vulnerability type (CWE-913)