CVE-2023-37466 – CVE-2023-37466 is a critical sandbox escape vul... (How to Fix)

Q: What is the severity of CVE-2023-37466?

CVE-2023-37466 has a CVSS score of 9.8 (CRITICAL). CVE-2023-37466 is a critical sandbox escape vulnerability in vm2, a Node.js sandbox library. Attackers can bypass Promise handler sanitization using the @@species accessor property to escape the sandbox and execute arbitrary code with the privileges of the Node.js process. This affects all applications using vm2 versions up to 3.9.19 for sandboxing untrusted code.

📋 TL;DR

CVE-2023-37466 is a critical sandbox escape vulnerability in vm2, a Node.js sandbox library. Attackers can bypass Promise handler sanitization using the @@species accessor property to escape the sandbox and execute arbitrary code with the privileges of the Node.js process. This affects all applications using vm2 versions up to 3.9.19 for sandboxing untrusted code.

💻 Affected Systems

Products:

vm2

Versions: All versions up to and including 3.9.19

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using vm2 to execute untrusted JavaScript code is vulnerable. The vulnerability exists in the core library functionality.

📦 What is this software?

Vm2 by Vm2 Project

View all CVEs affecting Vm2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the Node.js process, potentially leading to complete system compromise, data theft, or lateral movement.

🟠

Likely Case

Sandbox escape allowing execution of arbitrary Node.js code within the application context, potentially accessing sensitive data or performing unauthorized actions.

🟢

If Mitigated

Limited impact if vm2 is used only with trusted code or in isolated environments with minimal privileges.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept exploit code is publicly available in the security advisory. The vulnerability is straightforward to exploit once an attacker can provide input to the sandbox.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.10.0

Vendor Advisory: https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5

Restart Required: Yes

Instructions:

1. Update vm2 dependency to version 3.10.0 or later. 2. Update package.json to specify 'vm2': '^3.10.0'. 3. Run 'npm update vm2' or 'yarn upgrade vm2'. 4. Restart the Node.js application.

🔧 Temporary Workarounds

Disable vm2 usage

all

Temporarily disable or remove vm2 from production until patched

npm uninstall vm2
yarn remove vm2

Isolate sandbox environment

all

Run vm2 in a containerized or isolated environment with minimal privileges

🧯 If You Can't Patch

Replace vm2 with alternative sandbox solutions like isolated-vm or secure-vm
Implement strict input validation and limit sandbox execution to trusted code only

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules for vm2 version. If version is 3.9.19 or lower, the system is vulnerable.

Check Version:

npm list vm2 | grep vm2

Verify Fix Applied:

Verify vm2 version is 3.10.0 or higher using 'npm list vm2' or checking package.json.

📡 Detection & Monitoring

Log Indicators:

Unusual process spawns from Node.js application
Unexpected file system access patterns
Abnormal network connections from Node.js process

Network Indicators:

Unexpected outbound connections from Node.js application
Command and control traffic patterns

SIEM Query:

process.name:node AND (process.args:*vm2* OR process.args:*sandbox*) AND event.action:process_start

📊 Metadata

CVE ID: CVE-2023-37466

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: July 14, 2023

Last Updated: January 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37466, you might also want to check these: