CVE-2023-37903

CRITICAL

Vm2 < 3.9.19 - OS Command Injection

Title source: rule

Description

vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.

Exploits (1)

nomisec WORKING POC 8 stars

by 7h3h4ckv157 · poc

https://github.com/7h3h4ckv157/CVE-2023-37903

View Code ZIP pw:eip

References (3)

[Vendor Advisory] https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20230831-0007/

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20241108-0002/

Scores

CVSS v3 9.8

EPSS 0.3609

EPSS Percentile 97.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

npm/vm2 0npm

vm2_project/vm2 < 3.9.19

Published Jul 21, 2023

Tracked Since Feb 18, 2026