CVE-2023-32314

Name of the Vulnerable Software and Affected Versions vm2 versions up to and including 3.9.17

Description A sandbox escape issue exists in vm2, allowing a threat actor to bypass sandbox protections and gain remote code execution rights on the host. This is achieved by abusing an unexpected creation of a host object based on the specification of Proxy. The vulnerability can be exploited by a remote attacker to execute arbitrary code.

Recommendations For versions up to and including 3.9.17, upgrade to version 3.9.18 or later to patch the vulnerability. As a temporary workaround, consider restricting access to the Proxy specification until a patch is applied. There are no known workarounds for this vulnerability. Users are advised to upgrade to a patched version to mitigate the risk.