CVE-2023-37466
Sandbox Escape vulnerability in vm2 (npm)
What is CVE-2023-37466 About?
This vulnerability in vm2 for versions up to 3.9.19 allows attackers to escape the sandbox and execute arbitrary code due to a bypass in `Promise` handler sanitization. The impact is Remote Code Execution, assuming initial code execution within the sandbox. The ease of exploitation is high, as a PoC has been provided.
Affected Software
Technical Details
The vulnerability exists in vm2, specifically in versions up to 3.9.19, and concerns a bypass in Promise handler sanitization which leads to a sandbox escape. vm2 aims to provide a secure sandboxed environment for running untrusted code. However, the mechanism designed to sanitize or restrict the behavior of JavaScript Promise handlers contains a flaw. An attacker who has an arbitrary code execution primitive within the vm2 sandbox can leverage this flaw. By manipulating Promise objects and their handler chains, the attacker can break out of the confined sandbox environment. This escape allows them to execute arbitrary code with the privileges of the vm2 host process outside of the intended security boundaries. The bypass in sanitization essentially creates a loophole where carefully crafted Promise operations can access or manipulate the outer Node.js environment, rendering the sandbox ineffective. A Proof of Concept (PoC) exists, demonstrating the feasibility of this sandbox escape.
What is the Impact of CVE-2023-37466?
Successful exploitation may allow attackers to execute arbitrary code outside the vm2 sandbox with the privileges of the host process, potentially leading to full system compromise.
What is the Exploitability of CVE-2023-37466?
Exploitation requires an attacker to first achieve arbitrary code execution within the vm2 sandbox, which could be a separate vulnerability or a feature abused by a malicious user. Once inside the sandbox, exploiting the Promise handler sanitization bypass is likely of low to moderate complexity, especially given the existence of a Proof of Concept (PoC). This is primarily a local exploitation scenario relative to the sandbox environment itself, rather than remote access. No specific authentication or additional privileges are described as necessary, beyond the initial ability to run code in the sandbox. The primary risk factor is any application that uses vm2 to execute untrusted code, as the sandbox is intended to provide a critical security boundary.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-37466?
About the Fix from Resolved Security
This patch prevents the use of Proxy constructors inside the sandbox by setting global.Proxy to undefined and adds checks for the isProxy property, which blocks attacks that relied on constructing or manipulating Proxy objects to break out of the sandbox. It also hardens Promise handling against prototype pollution and species attacks, ensuring promise chains cannot escape the context. These changes fix CVE-2023-37466 by closing vectors for sandbox breakout through Proxy and Promise exploits.
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2023-37466
- https://security.netapp.com/advisory/ntap-20230831-0007
- https://gist.github.com/leesh3288/f693061e6523c97274ad5298eb2c74e9
- https://github.com/patriksimek/vm2
- https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5
- https://osv.dev/vulnerability/GHSA-cchq-frgv-rjh5
- https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5
What are Similar Vulnerabilities to CVE-2023-37466?
Similar Vulnerabilities: CVE-2023-29007 , CVE-2022-39324 , CVE-2022-29074 , CVE-2022-26157 , CVE-2021-23425
