How to fix CVE-2023-29017

The CVE-2023-29017 is about a flaw in how VM2 handles errors asynchronously within a sandbox environment. If not properly handled, such errors might allow an attacker to escape the restrictions of the sandbox and execute code with greater privileges, potentially compromising the host system’s security. This article discusses how to solve the issue.

Context of CVE-2023-29017

Firstly, VM2 is a sandboxing library for Node.js that allows executing untrusted JavaScript code in a controlled and isolated environment. You can use in scenarios where you need to run code or scripts within a Node.js application, but you want to ensure that this code does not have unrestricted access to the underlying system or sensitive resources. Here’s a more detailed explanation:

  1. Sandboxing: VM2 creates a secure sandbox within a Node.js environment. In this sandbox, code will run with restricted access to certain resources, preventing it from causing harm to the host system. This is particularly useful when dealing with potentially malicious or untrusted code, such as user-generated scripts.
  2. Isolation: VM2 isolates the code running within the sandbox from the rest of the Node.js application. This isolation ensures that the code executed in the sandbox cannot interfere with the main application or access sensitive information or system resources directly.
  3. Whitelisted Node.js Modules: VM2 allows you to specify a whitelist of Node.js built-in modules and functions that are accessible from within the sandboxed code. These whitelisted modules are the only ones that the code running in the sandbox can use. All other Node.js modules and functionality are unavailable to the sandboxed code.

Affected Versions by Product

  • VM2 versions 3.9.14 and prior
  • Node version: 18.15.0, 19.8.1, 17.9.1

Fixing CVE-2023-29017

At present, there are no identified solutions to mitigate this vulnerability. Consequently, it is highly advisable for all VM2 library users to promptly update to version 3.9.17 or higher. Here is the VM2 Repository:

Please note that, if you are running VM2 as part of Red Hat supported packages, you will need to use the supported patch releases from