CVE-2023-29199

Name of the Vulnerable Software and Affected Versions vm2 versions up to 3.9.15

Description The issue is related to the source code transformer's exception sanitization logic in vm2, allowing attackers to bypass the handleException() function and leak unsanitized host exceptions. This can be used to escape the sandbox and run arbitrary code in the host context, giving a threat actor remote code execution rights on the host running the sandbox.

Recommendations For versions up to 3.9.15, update to version 3.9.16 to patch the vulnerability. As a temporary workaround, consider disabling the handleException() function until a patch is available. Restrict access to the vm2 sandbox to minimize the risk of exploitation.