CVE-2023-30547

CRITICAL

Vm2 < 3.9.16 - Injection

Title source: rule

Exploitation Summary

EIP tracks 5 public exploits for CVE-2023-30547. PoCs published by rvizx, rvzsec, Cur1iosity.

AI-analyzed exploit summary This repository contains a functional PoC exploit for CVE-2023-30547, a VM2 sandbox escape vulnerability. The exploit leverages exception sanitization flaws to achieve arbitrary code execution in the host context.

Description

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.

Exploits (5)

nomisec WORKING POC 47 stars

by rvizx · poc

https://github.com/rvizx/CVE-2023-30547

View Code ZIP pw:eip

This repository contains a functional PoC exploit for CVE-2023-30547, a VM2 sandbox escape vulnerability. The exploit leverages exception sanitization flaws to achieve arbitrary code execution in the host context.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vm2 < 3.9.17

No auth needed

Prerequisites: Target must be running a vulnerable version of vm2 (< 3.9.17) · Ability to send crafted payloads to the target

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 46 stars

by rvzsec · poc

https://github.com/rvzsec/CVE-2023-30547

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-30547, a VM2 sandbox escape vulnerability. The exploit leverages a flaw in exception sanitization to achieve arbitrary code execution by manipulating the prototype chain and throwing a proxied error.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vm2 < 3.9.17

No auth needed

Prerequisites: Target must be running a vulnerable version of vm2 (< 3.9.17) · Ability to send crafted payloads to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 01, 2026 Full analysis →

nomisec WORKING POC 1 stars

by Cur1iosity · poc

https://github.com/Cur1iosity/CVE-2023-30547

View Code ZIP pw:eip

This repository contains a Python-based exploit for CVE-2023-30547, a sandbox escape vulnerability in vm2 versions up to 3.9.16. The exploit leverages exception sanitization flaws to execute arbitrary commands, spawn reverse shells, or establish web shells on vulnerable targets.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vm2 (versions < 3.9.17)

No auth needed

Prerequisites: Target must be running a vulnerable version of vm2 (< 3.9.17) · Network access to the target's endpoint

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by junnythemarksman · poc

https://github.com/junnythemarksman/CVE-2023-30547

View Code ZIP pw:eip

This PoC exploits CVE-2023-30547 in vm2 sandbox by leveraging unsanitized host exceptions to escape the sandbox and execute arbitrary code. It sends a base64-encoded payload via HTTP POST to a vulnerable endpoint, triggering a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vm2 (versions up to 3.9.16)

No auth needed

Prerequisites: Vulnerable vm2 version (≤3.9.16) · Network access to target endpoint · Listener setup for reverse shell

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by user0x1337 · poc

https://github.com/user0x1337/CVE-2023-30547

View Code ZIP pw:eip

This is a functional Proof-of-Concept exploit for CVE-2023-30547, a vm2 sandbox escape vulnerability. It leverages a prototype pollution technique to achieve remote code execution (RCE) via a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: vm2 (versions prior to 3.9.16)

No auth needed

Prerequisites: Target must be running a vulnerable version of vm2 · Network access to the target URL · Listener set up for reverse shell

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m

Patch x_refsource_misc

https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5

View Patch ZIP pw:eip

Exploit, Third Party Advisory x_refsource_misc

https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244

Scores

CVSS v3 9.8

EPSS 0.8368

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-74

Status published

Products (2)

npm/vm2 0 - 3.9.17npm

vm2_project/vm2 < 3.9.16

Published Apr 17, 2023

Tracked Since Feb 18, 2026