CVE-2023-37903

Name of the Vulnerable Software and Affected Versions vm2 versions up to and including 3.9.19

Description The issue in vm2 allows attackers to escape the sandbox and run arbitrary code, potentially resulting in Remote Code Execution. This is possible due to the Node.js custom inspect function. There is no information about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. The vulnerability exists because of the lack of measures to neutralize special elements used in the operating system command.

Recommendations For versions up to and including 3.9.19, as a temporary workaround, consider disabling the custom inspect function until a patch is available. However, since there are no patches and no known workarounds, users are advised to find an alternative software. Avoid using the vm2 sandbox for emulation until the issue is resolved.