What is CVE-2023-37466?

CVE-2023-37466 is a critical-severity vulnerability in Patriksimek Vm2, classified under Code Injection. CVSS score: 9.8/10. Published 2023-07-13.

How severe is CVE-2023-37466?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2023-37466 known to be exploited?

5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Patriksimek Vm2

CVE-2023-37466

vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanit…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.049 (89.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Patriksimek Vm2 — versions <= 3.9.19

Weakness classification (CWE)

CWE-94 — Code Injection

Public proof-of-concept exploits

References

https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 (x_refsource_CONFIRM)
https://github.com/patriksimek/vm2/commit/d9a1fde8ec5a5a9c9e5a69bf91d703950859d744 (x_refsource_MISC)
https://github.com/patriksimek/vm2/releases/tag/v3.10.0 (x_refsource_MISC)

Frequently asked questions

What is CVE-2023-37466?: CVE-2023-37466 is a critical-severity vulnerability in Patriksimek Vm2, classified under Code Injection. CVSS score: 9.8/10. Published 2023-07-13.
How severe is CVE-2023-37466?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2023-37466 known to be exploited?: 5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.