vm2 JavaScript Sandbox Library Remote Code Execution Vulnerability (CVE-2023-29017)

vm2 has released a patch for a critical severity vulnerability (CVE-2023-29017) with a CVSS score of 9.8. Korea Advanced Institute of Science and Technology (KAIST) WSP Lab has discovered the vulnerability. The vulnerability originates from improper input handling of host objects.  
A proof-of-concept exploit has been made public on GitHub, explaining the severity and potential risk of the vulnerability. 
vm2 is a widely used JavaScript sandbox that can run untrusted code with allowed Node’s built-in modules. Sandboxes are used in modern applications for a variety of functions. vm2 has over 16 million monthly downloads. The product is used by integrated development environments (IDEs) and code editors, function-as-a-service (FaaS) solutions, pen-testing frameworks, security tools, and various JavaScript-related products. Due to this, the vm2 vulnerability can have severe consequences for apps that use it, given the nature of sandbox use cases. 
In October 2022, vm2 patched another critical vulnerability CVE-2022-36067 named “Sandbox.” The vulnerability allowed an attacker to escape the vm2 sandbox environment and run shell commands on the machine hosting the sandbox. 


The root cause of the vulnerability is the improper handling of host objects passed to Error.prepareStackTrace leading to an asynchronous error. An attacker can bypass the sandbox’s protections and perform remote code execution on the host running the sandbox by successfully exploiting the vulnerability. 
In the PoC, the researcher created a file named ‘flag‘ on the host system. This proves that VM2’s sandbox security measures can be avoided, enabling command execution to create arbitrary files on the host system. 

Affected versions

vm2 NPM package versions before 3.9.15 are affected by this vulnerability. 


Customers should upgrade to vm2 NPM package version 3.9.15 or later to mitigate this vulnerability. For more information, please refer to the GitHub Advisory (GHSA-7jxr-cg7f-gpgv). 

Qualys Detection

Qualys customers can scan their devices with QID 378375 and 992769 to detect vulnerable assets.  
QID 992769 is currently available via the SCA (Software Composition Analysis) capabilities for Container Security. 
This QID checks for vulnerable versions of the vm2 NPM package installed globally. The QID runs the “npm list -g –silent” command and checks the file “/usr/local/lib/node_modules/vm2/package.json” to look for vulnerable versions of vm2. 
Note: NPM packages can be installed anywhere as a developer/production dependency. This QID can only detect vm2 packages that are installed globally. This QID checks for installed packages within the ‘% systemdrive%\Users\Administrator’ directory for Microsoft Windows. 
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.  

Leave a Reply

Your email address will not be published. Required fields are marked *