vm2
Safeguard articles tagged "vm2" — guides, analysis, and best practices for software supply chain and application security.
4 articles
CVE-2023-32314: Sandbox escape in vm2
CVE-2023-32314 let attackers escape the vm2 Node.js sandbox for remote code execution. Here's the CVSS 10.0 flaw, affected versions, timeline, and fixes.
CVE-2023-30547: Sandbox escape via Node custom inspect in...
CVE-2023-30547 lets attackers escape the vm2 Node.js sandbox via a crafted custom inspect method, achieving host code execution. Here's the impact, timeline, and fix.
CVE-2023-37466: Remote code execution via vm2 sandbox escape
A critical vm2 sandbox escape (CVE-2023-37466) lets untrusted JavaScript break out to achieve remote code execution on the host Node.js process.
What Is vm2? The Node.js Sandbox and Its Security History
vm2 was the most popular way to run untrusted JavaScript inside Node.js — until a string of sandbox-escape CVEs and its 2023 deprecation showed why sandboxing a dynamic language is so hard to get right.