Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Critical Vulnerability in vm2 Library
Alerts

Critical Vulnerability in vm2 Library

10 April 2023

vm2 has released patches to address a critical vulnerability (CVE-2023-29017) in the vm2 library. The vm2 library is a Javascript sandbox designed to run untrusted code in an isolated and virtualised environment. The vulnerability has a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.

Successful exploitation of the vulnerability could allow an unauthenticated threat actor to bypass the sandbox protections and perform remote code execution (RCE) on the host machine running the sandbox.

The vulnerability affects vm2 versions v3.9.14 and earlier.

Users and administrators of affected product versions are advised to update to the latest version.

More information is available here:
https://github.com/advisories/GHSA-7jxr-cg7f-gpgv

Back to top