CVE-2023-37903
Sandbox Escape vulnerability in vm2 (npm)
What is CVE-2023-37903 About?
This vm2 vulnerability allows attackers to escape the sandbox and run arbitrary code by exploiting the Node.js custom inspect function. Assuming an initial arbitrary code execution primitive within the sandbox, this flaw provides a path to complete system compromise. The exploit leverages specific Node.js functionality that the sandbox fails to properly restrict.
Affected Software
Technical Details
The vulnerability lies within vm2 (versions up to 3.9.19) and springs from an improper handling or restriction of the Node.js custom inspect function. In Node.js, objects can define a [Symbol.for('nodejs.util.inspect.custom')] method to customize their string representation when inspected. The vm2 sandbox fails to adequately filter or restrict the behavior of this custom inspect function when called within the sandbox. If an attacker has an existing arbitrary code execution primitive within the vm2 sandbox, they can craft an object that, when its custom inspect method is invoked (e.g., by logging or inspecting the object), executes code outside the sandbox's boundaries. This allows for a sandbox escape, enabling arbitrary code execution in the host context.
What is the Impact of CVE-2023-37903?
Successful exploitation may allow attackers to escape the vm2 sandbox, achieving Remote Code Execution and potentially gaining full control over the host system.
What is the Exploitability of CVE-2023-37903?
Exploitation requires the attacker to have an initial arbitrary code execution primitive inside the vm2 sandbox. The complexity is moderate, as it involves crafting specific JavaScript objects and triggering their custom inspect method within the sandboxed environment to escape. There are no authentication requirements beyond the initial access that allows code execution in the sandbox, and no specific privilege requirements for the sandboxed user, as the goal is to break out of those constraints. This is primarily a local vulnerability from the perspective of the sandboxed process, but if the sandbox is accessible remotely, it could be triggered remotely. The special condition is the ability to invoke the Node.js custom inspect function. Risk factors include allowing untrusted code in vm2 instances and inadequate filtering of input that might create exploitable objects.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| 7h3h4ckv157 | Link | Exploit for CVE-2023-37903 |
What are the Available Fixes for CVE-2023-37903?
About the Fix from Resolved Security
This patch fixes CVE-2023-37903 by preventing access to the global Proxy constructor within the sandboxed environment, ensuring attackers cannot escalate privileges or bypass restrictions using Proxy-based exploits. It also restricts prototype pollution and constructor manipulation techniques, such as Symbol.species attacks on Promise, by enforcing the Promise species to a safe local subclass and freezing critical built-ins. These changes effectively neutralize a class of sandbox escape vectors that relied on manipulating or escaping the Proxy and Promise constructors.
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4
- https://security.netapp.com/advisory/ntap-20230831-0007
- https://security.netapp.com/advisory/ntap-20230831-0007/
- https://github.com/patriksimek/vm2
- https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4
- https://nvd.nist.gov/vuln/detail/CVE-2023-37903
- https://osv.dev/vulnerability/GHSA-g644-9gfx-q4q4
What are Similar Vulnerabilities to CVE-2023-37903?
Similar Vulnerabilities: CVE-2023-29199 , CVE-2023-37466 , CVE-2022-38682 , CVE-2022-31629 , CVE-2021-23425
