CVE-2023-37466

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.10.0

Description vm2 is an advanced sandbox for Node.js. A flaw in the sanitization of the Promise handler allows the @@species accessor property to be bypassed. This enables attackers who already have arbitrary code execution primitives within the sandbox context to escape the isolated environment and execute arbitrary code on the host system, potentially leading to remote code execution. The project maintenance has been discontinued, and the library is not recommended for production use.

Recommendations Update to version 3.10.0.