CVE-2023-30547
Sandbox Escape vulnerability in vm2 (npm)
What is CVE-2023-30547 About?
This vulnerability in vm2 (versions up to 3.9.16) is a Sandbox Escape issue that allows attackers to bypass its sandbox protections. It leverages unsanitized host exceptions to execute arbitrary code in the host context. Exploitation is demonstrated via raising specific exceptions, leading to remote code execution and is of moderate complexity.
Affected Software
Technical Details
The vulnerability in vm2 arises from a flaw in its exception sanitization process within the handleException() function. Specifically, an attacker can craft code within the sandboxed environment that, when executed, triggers an unsanitized host exception. This unsanitized exception, instead of being properly contained and handled by vm2's sandbox mechanisms, propagates to the host environment. By controlling the content of this exception, the attacker can leverage it as a vector to break out of the sandbox and execute arbitrary code in the host's context, effectively achieving remote code execution. This bypasses the isolation intended by the vm2 sandbox.
What is the Impact of CVE-2023-30547?
Successful exploitation may allow attackers to perform a sandbox escape, leading to remote code execution on the host system, complete system compromise, or unauthorized access to sensitive data and resources.
What is the Exploitability of CVE-2023-30547?
Exploitation of this vulnerability is of moderate complexity. It requires the ability to execute code within the vm2 sandbox. There are no specific authentication or privilege requirements to trigger the vulnerability once code execution is achieved inside the sandbox. The attack is typically local to the sandboxed environment (meaning the attacker interacts with the sandbox directly) but leads to remote code execution on the host machine. The core mechanism involves crafted input that triggers the unsanitized host exception. The availability of a Proof of Concept (PoC) increases the likelihood of exploitation. The primary risk factors are applications that execute untrusted code in vm2, especially in versions 3.9.16 and below.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| rvizx | Link | PoC Exploit for VM2 Sandbox Escape Vulnerability |
| Cur1iosity | Link | Tool for exploring CVE-2023-30547 |
| user0x1337 | Link | PoC to CVE-2023-30547 (Library vm2) |
What are the Available Fixes for CVE-2023-30547?
About the Fix from Resolved Security
This patch ensures exceptions and Promise rejections in the sandbox are consistently passed through sanitization or wrapped securely, preventing the escape of potentially unsafe objects to the host environment. By fixing how catch clauses and Promise handlers are instrumented, it mitigates sandbox breakout risk, resolving CVE-2023-30547's vulnerability where untrusted code could bypass exception handling controls.
Available Upgrade Options
- vm2
- <3.9.17 → Upgrade to 3.9.17
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2023-30547
- https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244
- https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049
- https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5
- https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244
- https://osv.dev/vulnerability/GHSA-ch3r-j5x3-6q2m
- https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m
- https://github.com/patriksimek/vm2
- https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m
- https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5
What are Similar Vulnerabilities to CVE-2023-30547?
Similar Vulnerabilities: CVE-2023-30548 , CVE-2023-2252 , CVE-2023-2251 , CVE-2023-28045 , CVE-2023-3758
