Voyager18 (research)

Understanding CVE-2023-29199 and CVE-2023-30547

CVE-2023-29199 and CVE-2023-30547 are critical vulnerabilities affecting the popular VM2 Javascript library. Here's what you need to know.

Yair Divinsky | April 20, 2023

In April 2023, two critical vulnerabilities – CVE-2023-29199 and CVE-2023-30547 – were identified in popular software. These vulnerabilities can have serious consequences for individuals and organizations, making it important to understand them.

The VM2 JS library is commonly used by various software applications, including IDEs, code editors, and security tools, to run code partially on isolated Node.js servers while safeguarding system resources and external data from unauthorized access.

This blog post follows the discovery and patching of these two critical vulnerabilities in the VM2 JavaScript library.

Here’s what you need to know:

What are the CVE-2023-29199 and CVE-2023-30547 vulnerabilities?

CVE-2023-29199 and CVE-2023-30547 are two critical vulnerabilities that were discovered in 2023 that allow attackers to bypass the sandbox protections of the VM2 JS library, which can lead to remote code execution on the host system. Both flaws are rated 9.8 out of 10 on the CVSS scoring system, indicating that they have a high severity level. Proof-of-concept (PoC) exploits for these vulnerabilities have been released, increasing the likelihood of future exploitation.

CVE-2023-29199, a vulnerability in the popular web application framework allows an attacker to execute arbitrary code on the affected system. This vulnerability occurs due to a flaw in the way the framework handles user input. An attacker can exploit this vulnerability by sending specially crafted input to the affected system, which can cause the system to execute malicious code.

Finally, the new vulnerabilities could allow an attacker to bypass authentication and gain unauthorized access to sensitive data. It occurs due to a flaw in the authentication mechanism used by the system. An attacker can exploit this vulnerability by sending specially crafted requests to the affected system, which can bypass the authentication mechanism and allow the attacker to access sensitive data.

Do they affect me?

VM2 is a sandbox that can run untrusted code with whitelisted Node’s built-in modules. A vulnerability exists in exception sanitization of VM2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context.

This vulnerability was patched in the release of version `3.9.17` of `VM2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.If you are an individual who uses the affected software, you may be at risk of having your sensitive data compromised. This can include personal information, financial data, and other sensitive information that you store on your computer or device.

If you are an organization that uses the affected software, the impact can be even greater. An attacker could gain unauthorized access to your network and steal sensitive corporate data, compromise critical systems, or cause damage to your reputation.

Have CVE-2023-29199 and CVE-2023-30547 been actively exploited in the wild?

Currently, there have been no reports of these vulnerabilities being actively exploited in the wild. However, it is important to note that it is only a matter of time before attackers start to target these vulnerabilities. As such, it is critical that affected individuals and organizations take steps to protect themselves.

Fixing CVE-2023-29199 and CVE-2023-30547

The recommended action for system administrators is to patch their vulnerable systems immediately and analyze system and network logs for any suspicious activity. The patches are available in the latest versions of the VM2 library, versions 3.9.16 and 3.9.17. If you are using the affected software, it is important that you take steps to fix these vulnerabilities.

The first step is to check if there is a patch available for the software. Most software vendors release patches for vulnerabilities as soon as they are discovered.

If a patch is available, you should apply it as soon as possible. This will help to protect your system from any potential attacks that could exploit these vulnerabilities. If a patch is not available, you should contact the software vendor and report the issue. The vendor may be able to provide you with a workaround or other alternatives.

Next steps

Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:

  1. Q1 2023 Vulnerability watch report
  2. MITRE ATTACK framework – Mapping techniques to CVEs 
  3. Exploit maturity: an introduction 
  4. OWASP Top 10 vulnerabilities 2022: what we learned
  5. How to fix CVE-2023-25610 in FortiOS

And finally…

Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.


Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy