CVE-2023-32313
Arbitrary Code Execution vulnerability in vm2 (npm)
What is CVE-2023-32313 About?
This vulnerability in `vm2` versions 3.9.17 and lower allows for an attacker to gain a read-write reference to the Node.js `inspect` method. This enables them to edit options for `console.log`, leading to a sandbox escape and potentially arbitrary code execution. Exploitation requires specific knowledge of Node.js internals and the `vm2` sandbox mechanism.
Affected Software
Technical Details
The vulnerability in vm2 versions 3.9.17 and lower stems from the sandbox's incomplete isolation of Node.js inspect method. Specifically, an attacker within the vm2 sandbox could obtain a read-write reference to the process.binding('inspector') object. By manipulating this object, particularly its consoleCall method (which underpins console.log), an attacker can inject custom code or alter its behavior. This allows for a sandbox escape by overriding or hooking critical internal functions, ultimately granting the attacker the ability to execute arbitrary code outside the vm2 sandbox context. The mechanism leverages the ability to modify Node.js's native inspection and logging facilities.
What is the Impact of CVE-2023-32313?
Successful exploitation may allow attackers to execute arbitrary code outside the `vm2` sandbox, leading to full system compromise, data theft, or bypassing security restrictions of the sandboxed environment.
What is the Exploitability of CVE-2023-32313?
Exploitation requires the ability to execute code within the vm2 sandbox. The complexity is medium to high, as it requires specific knowledge of both vm2's internals and Node.js's inspect API. No authentication or specific privileges are required beyond the ability to execute code in the sandbox. This is a local attack in the context of the sandbox, but the code running in the sandbox might originate from a remote source. The constraint is the ability to run JavaScript code in the sandboxed environment. The risk factors include accepting untrusted code for execution within vm2.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-32313?
About the Fix from Resolved Security
The patch adds Node.js's inspect function from the util module to the VM context as a read-only property, preventing users from overwriting or tampering with it. This mitigates CVE-2023-32313, where an attacker could modify or replace inspect in sandboxed code execution, potentially enabling prototype pollution or sandbox escape.
Available Upgrade Options
- vm2
- <3.9.18 → Upgrade to 3.9.18
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v
- https://nvd.nist.gov/vuln/detail/CVE-2023-32313
- https://github.com/patriksimek/vm2/releases/tag/3.9.18
- https://github.com/patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v
- https://osv.dev/vulnerability/GHSA-p5gc-c584-jj6v
- https://github.com/patriksimek/vm2
- https://github.com/patriksimek/vm2/releases/tag/3.9.18
- https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550
- https://github.com/patriksimek/vm2/commit/5206ba25afd86ef547a2c9d48d46ca7a9e6ec238
- https://github.com/patriksimek/vm2/commit/5206ba25afd86ef547a2c9d48d46ca7a9e6ec238
What are Similar Vulnerabilities to CVE-2023-32313?
Similar Vulnerabilities: CVE-2023-38704 , CVE-2023-39659 , CVE-2022-36067 , CVE-2022-25881 , CVE-2021-23393
