CVE-2023-37903

CRITICAL

Vm2 < 3.9.19 - OS Command Injection

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-37903. PoCs published by 7h3h4ckv157.

AI-analyzed exploit summary This repository contains a Proof of Concept (PoC) and a reverse shell exploit for CVE-2023-37903, a vulnerability in the vm2 sandbox library. The PoC demonstrates command execution via the `exec` function, while the reverse shell script establishes a connection to a remote listener.

Description

vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.

Exploits (1)

nomisec WORKING POC 8 stars
by 7h3h4ckv157 · poc
https://github.com/7h3h4ckv157/CVE-2023-37903

This repository contains a Proof of Concept (PoC) and a reverse shell exploit for CVE-2023-37903, a vulnerability in the vm2 sandbox library. The PoC demonstrates command execution via the `exec` function, while the reverse shell script establishes a connection to a remote listener.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: vm2 (versions prior to 3.9.16)
No auth needed
Prerequisites: Node.js environment with vulnerable vm2 library · Network connectivity for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.3951
EPSS Percentile 97.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (2)
npm/vm2 0npm
vm2_project/vm2 < 3.9.19
Published Jul 21, 2023
Tracked Since Feb 18, 2026