Login Sign Up

CVE-2023-37903

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2023-37903 is a critical sandbox escape vulnerability in vm2, a Node.js sandboxing library. Attackers with code execution inside the vm2 sandbox can exploit Node.js's custom inspect function to break out of the sandbox and execute arbitrary code on the host system. This affects all users running vm2 versions up to and including 3.9.19.

💻 Affected Systems

Products:
  • vm2
Versions: All versions up to and including 3.9.19
Operating Systems: All operating systems running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using vm2 for sandboxing untrusted code is vulnerable. The vulnerability requires an attacker to already have code execution inside the vm2 sandbox context.

📦 What is this software?

Vm2 by Vm2 Project

View all CVEs affecting Vm2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution on the host system, allowing complete compromise of the server and potential lateral movement within the network.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, or deployment of malware/ransomware.

🟢

If Mitigated

Limited impact if vm2 is isolated in a container with minimal privileges and network access, though sandbox escape still poses significant risk.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires an initial code execution primitive within the vm2 sandbox. Once achieved, the sandbox escape is straightforward using the documented technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4

Restart Required: No

Instructions:

No official patch exists. The vendor advises finding alternative software. Consider migrating to isolatedvm, isolated-vm, or other sandboxing solutions.

🧯 If You Can't Patch

  • Immediately remove vm2 from production environments and replace with alternative sandboxing solutions.
  • If vm2 must remain temporarily, isolate it in a container with minimal privileges, no network access, and strict resource limits.

🔍 How to Verify

Check if Vulnerable:

Check your package.json or node_modules for vm2 version. Run: npm list vm2 or check package-lock.json.

Check Version:

node -e "console.log(require('vm2/package.json').version)" if vm2 is installed

Verify Fix Applied:

Verify vm2 is no longer installed or has been replaced with an alternative. Run: npm list | grep vm2

📡 Detection & Monitoring

Log Indicators:

  • Unusual process spawns from Node.js applications using vm2
  • Error logs related to sandbox violations or inspect function calls

Network Indicators:

  • Unexpected outbound connections from Node.js processes that should be sandboxed

SIEM Query:

Process creation where parent process is Node.js and command line contains suspicious patterns like 'child_process.spawn' from vm2 context

📊 Metadata

CVE ID: CVE-2023-37903
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: July 21, 2023
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37903, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)