9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-32314

GHSA ID

GHSA-whpj-8f3w-67p5

EPSS Score

0.98481%

CWE

CWE-74

Published

5/15/2023

Updated

11/5/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-32314

CVE-2023-32314:
vm2 Sandbox Escape vulnerability

A sandbox escape vulnerability exists in vm2 for versions up to 3.9.17. It abuses an unexpected creation of a host object based on the specification of Proxy.

Impact

A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.

Patches

This vulnerability was patched in the release of version 3.9.18 of vm2.

Workarounds

None.

References

PoC - https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac

For more information

If you have any questions or comments about this advisory:

Open an issue in VM2

Thanks to @arkark (Takeshi Kaneko) of GMO Cybersecurity by Ierae, Inc. for disclosing this vulnerability.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-32314

GHSA ID

GHSA-whpj-8f3w-67p5

EPSS Score

0.98481%

CWE

CWE-74

Published

5/15/2023

Updated

11/5/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
vm2	npm	< 3.9.18	3.9.18

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how Proxy handler arguments were handled pre-patch. The PoC demonstrates that when a Proxy's apply trap is invoked, V8 passes arguments as a host-created array (argArray). In vulnerable versions, vm2 failed to properly wrap these host-originating arguments arrays, allowing access to the host's Function constructor through arguments.constructor.constructor. The commit adds wrapping logic (wrapProxyHandler, makeSafeHandlerArgs) to sanitize handler arguments, confirming the vulnerability existed in the original Proxy handling implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s*n**ox *s**p* vuln*r**ility *xists in vm* *or v*rsions up to *.*.**. It **us*s *n un*xp**t** *r**tion o* * *ost o*j**t **s** on t** sp**i*i**tion o* `Proxy`. ### Imp**t * t*r**t **tor **n *yp*ss t** s*n**ox prot**tions to **in r*mot* *o** *x**uti

Reasoning

T** vuln*r**ility st*ms *rom *ow Proxy **n*l*r *r*um*nts w*r* **n*l** pr*-p*t**. T** Po* **monstr*t*s t**t w**n * Proxy's *pply tr*p is invok**, V* p*ss*s *r*um*nts *s * *ost-*r**t** *rr*y (*r**rr*y). In vuln*r**l* v*rsions, `vm*` **il** to prop*rly

9.8

Basic Information

Concerned about an active attack path?

CVE-2023-32314: vm2 Sandbox Escape vulnerability

Impact

Patches

Workarounds

References

For more information

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-32314:
vm2 Sandbox Escape vulnerability

Vulnerability Intelligence
Miggo AI