PT-2023-2417 · Vm2 · Vm2
Seunghyun Lee
+1
·
Published
2023-04-17
·
Updated
2026-05-06
·
CVE-2023-30547
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
vm2 versions up to 3.9.16
Description
The issue exists due to inadequate sanitization of special elements in the
handleException() function of the vm2 library, allowing a remote attacker to escape the sandbox and execute arbitrary code in the host context. This can be achieved by raising an unsanitized host exception inside the handleException() function.Recommendations
For versions up to 3.9.16, upgrade to version 3.9.17 or later to resolve the issue.
As a temporary workaround, consider disabling the
handleException() function until a patch is available.Exploit
Fix
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vm2