vm2 sandbox escape via Node.js custom inspect
vm2, an open-source VM/sandbox library for Node.js, is vulnerable in versions up to and including 3.9.19 to a sandbox escape through the Node.js custom inspect function. An attacker who already has the ability to execute arbitrary JavaScript within a vm2 sandbox can abuse custom inspect behavior to break out of the sandbox boundary and execute arbitrary code in the host Node.js environment. The issue is described as a critical sandbox escape that can lead to remote code execution on the underlying system. The provided content does not include function-level root-cause detail beyond the involvement of the Node.js custom inspect function.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository provides exploit code for CVE-2023-37903, a vulnerability in the vm2 Node.js library. The repository contains two main JavaScript files: 'PoC.js' and 'Reverse_shell.js'. 'PoC.js' demonstrates arbitrary command execution by running a ping command to an attacker-supplied IP address, serving as a proof of concept. 'Reverse_shell.js' executes a bash command to open a reverse shell to an attacker-controlled IP and port, allowing the attacker to gain remote shell access to the vulnerable system. The README provides a brief description and credits. The exploit requires the attacker to specify their own IP and port, and the target must be running a vulnerable version of vm2. The main attack vector is remote code execution via network interaction, and the payload is a bash reverse shell. No hardcoded endpoints are present; placeholders are used for attacker-supplied values.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A vm2 sandbox bypass issue in Node.js where a prior fix for CVE-2023-37903 could be bypassed by omitting the require option, defeating a security check intended to block the unsafe combination of nesting: true and require: false.
An earlier vm2 vulnerability referenced as the incomplete prior fix that CVE-2026-47137 bypasses.
A previously disclosed vm2 sandbox escape vulnerability; its disclosure is noted as contributing to a (later reversed/removed) discontinuation announcement for the project.
Critical VM2 JavaScript sandbox escape leading to remote code execution via abuse of Node.js custom inspect functionality (requires an attacker-controlled code execution primitive within the VM2 sandbox context).
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.