CVE-2023-29199
Sandbox Escape vulnerability in vm2 (npm)
What is CVE-2023-29199 About?
This vm2 vulnerability allows attackers to bypass `handleException()` and leak unsanitized host exceptions, leading to a sandbox escape. This can result in arbitrary code execution in the host context, making it a critical flaw with relatively high impact. Exploitation relies on crafting specific inputs that trigger the exception sanitization logic flaw.
Affected Software
Technical Details
The vulnerability resides in the source code transformer and exception sanitization logic of vm2 (versions up to 3.9.15). Specifically, it allows an attacker to bypass the handleException() mechanism, which is intended to sanitize and safely handle exceptions originating from the sandboxed environment. By crafting malicious code within the vm2 sandbox that triggers an exception, the attacker can cause the sandbox to leak unsanitized host exceptions. These unsanitized exceptions can contain references or information that can then be used to escape the sandbox environment and execute arbitrary code in the host's context, effectively breaking the intended isolation.
What is the Impact of CVE-2023-29199?
Successful exploitation may allow attackers to escape the sandbox environment, leading to arbitrary code execution in the host context and potential full control over the compromised system.
What is the Exploitability of CVE-2023-29199?
Exploitation requires the attacker to have arbitrary code execution primitive inside the vm2 sandbox. The complexity is moderate, involving crafting specific code within the sandbox that triggers an unhandled and unsanitized host exception. There are no authentication requirements beyond the initial access to execute code within the vm2 sandbox, and no specific privilege requirements for the sandbox user, as the goal is to escape those confines. This is typically a local vulnerability from the perspective of the sandboxed code, but if the sandbox is exposed remotely (e.g., via a web service), it could be triggered remotely. The special condition is the ability to trigger and leverage unsanitized host exceptions. Risk factors include allowing untrusted code to run within vm2 instances, particularly those used in production environments.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-29199?
About the Fix from Resolved Security
This patch ensures that destructured parameters in catch clauses are securely handled by wrapping the entire catch block with logic that safely processes exceptions, rather than directly destructuring potentially unsafe values. This fix prevents attackers from exploiting the catch clause to escape the VM sandbox, thereby addressing the code injection vulnerability described in CVE-2023-29199.
Available Upgrade Options
- vm2
- <3.9.16 → Upgrade to 3.9.16
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c
- https://github.com/patriksimek/vm2/releases/tag/3.9.16
- https://github.com/patriksimek/vm2/issues/516
- https://github.com/patriksimek/vm2
- https://github.com/patriksimek/vm2/releases/tag/3.9.16
- https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985
- https://github.com/patriksimek/vm2/commit/24c724daa7c09f003e556d7cd1c7a8381cb985d7
- https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985
- https://nvd.nist.gov/vuln/detail/CVE-2023-29199
- https://github.com/patriksimek/vm2/issues/516
What are Similar Vulnerabilities to CVE-2023-29199?
Similar Vulnerabilities: CVE-2023-37903 , CVE-2023-37466 , CVE-2022-38682 , CVE-2022-31629 , CVE-2021-23425
