cve/2023/CVE-2023-32314.md

### [CVE-2023-32314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32314)
![](https://img.shields.io/static/v1?label=Product&message=vm2&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%203.9.18%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-74%3A%20Improper%20Neutralization%20of%20Special%20Elements%20in%20Output%20Used%20by%20a%20Downstream%20Component%20('Injection')&color=brighgreen)

### Description

vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

### POC

#### Reference
- https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac
- https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5

#### Github
- https://github.com/giovanni-iannaccone/vm2_3.9.17
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2023-32314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32314)`
			`![](https://img.shields.io/static/v1?label=Product&message=vm2&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%203.9.18%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-74%3A%20Improper%20Neutralization%20of%20Special%20Elements%20in%20Output%20Used%20by%20a%20Downstream%20Component%20('Injection')&color=brighgreen)`

			`### Description`

			vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

			`### POC`

			`#### Reference`
			`- https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac`
			`- https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5`

			`#### Github`
			`- https://github.com/giovanni-iannaccone/vm2_3.9.17`