VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-ua6c-rrsj-2kg6

Essentials
Severities (21)
References (10)
Severity details (19)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-ua6c-rrsj-2kg6
Aliases	CVE-2023-32314 GHSA-whpj-8f3w-67p5
Summary	vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-915	Improperly Controlled Modification of Dynamically-Determined Object Attributes
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	9.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32314.json
epss	0.61685	https://api.first.org/data/v1/epss?cve=CVE-2023-32314
epss	0.61685	https://api.first.org/data/v1/epss?cve=CVE-2023-32314
cvssv3.1	9.8	https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac
generic_textual	CRITICAL	https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac
ssvc	Track*	https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-whpj-8f3w-67p5
cvssv3.1	9.8	https://github.com/patriksimek/vm2
generic_textual	CRITICAL	https://github.com/patriksimek/vm2
cvssv3.1	9.8	https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf
generic_textual	CRITICAL	https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf
ssvc	Track*	https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf
cvssv3.1	9.8	https://github.com/patriksimek/vm2/releases/tag/3.9.18
generic_textual	CRITICAL	https://github.com/patriksimek/vm2/releases/tag/3.9.18
ssvc	Track*	https://github.com/patriksimek/vm2/releases/tag/3.9.18
cvssv3.1	9.8	https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5
cvssv3.1_qr	CRITICAL	https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5
generic_textual	CRITICAL	https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5
ssvc	Track*	https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5
cvssv3.1	9.8	https://nvd.nist.gov/vuln/detail/CVE-2023-32314
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2023-32314

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32314.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-32314
		https://github.com/patriksimek/vm2
		https://nvd.nist.gov/vuln/detail/CVE-2023-32314
2208376		https://bugzilla.redhat.com/show_bug.cgi?id=2208376
3.9.18		https://github.com/patriksimek/vm2/releases/tag/3.9.18
d88105f99752305c5b8a77b63ddee3ec86912daf		https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf
e9f5cf5782dec8321095be3e52acf5ac		https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac
GHSA-whpj-8f3w-67p5		https://github.com/advisories/GHSA-whpj-8f3w-67p5
GHSA-whpj-8f3w-67p5		https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32314.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-22T21:42:22Z/ Found at https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-22T21:42:22Z/ Found at https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2/releases/tag/3.9.18

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-22T21:42:22Z/ Found at https://github.com/patriksimek/vm2/releases/tag/3.9.18

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-22T21:42:22Z/ Found at https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-32314

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.98362
EPSS Score	0.61685
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T17:26:42.885940+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2023/32xxx/CVE-2023-32314.json	38.6.0