CVE-2023-37903: vm2 Sandbox Escape vulnerability

July 13, 2023 (updated November 4, 2025)

In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code.

References

github.com/advisories/GHSA-g644-9gfx-q4q4
github.com/patriksimek/vm2
github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4
nvd.nist.gov/vuln/detail/CVE-2023-37903
security.netapp.com/advisory/ntap-20230831-0007
security.netapp.com/advisory/ntap-20241108-0002

Code Behaviors & Features

Detect and mitigate CVE-2023-37903 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →