How severe is CVE-2023-29199?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 10 out of 10.

What type of vulnerability is CVE-2023-29199?

This is classified as CWE-913, which is a common weakness in software security.

CVE-2023-29199 - CRITICAL Severity | CVSS 10

Vulnerability Description

There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.16` of `vm2`.

Related Vulnerabilities

CVE-2022-36067

CRITICAL

CVSS:10.0(Critical)

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execut...

CWE-9132022

CVE-2023-37271

CRITICAL

CVSS:9.9(Critical)

RestrictedPython is a tool that helps to define a subset of the Python language which allows users to provide a program input into a trusted environment. RestrictedPython does not check access to stac...

CWE-9132023

CVE-2025-46673

CRITICAL

CVSS:9.9(Critical)

NASA CryptoLib before 1.3.2 does not check whether the SA is in an operational state before use, possibly leading to a bypass of the Space Data Link Security protocol (SDLS).

CWE-9132025

CVE-2014-9852

CRITICAL

CVSS:9.8(Critical)

distribute-cache.c in ImageMagick re-uses objects after they have been destroyed, which allows remote attackers to have unspecified impact via unspecified vectors.

CWE-9132014

CVE-2017-3202

CRITICAL

CVSS:9.8(Critical)

The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and sub...

CWE-9132017

CVE-2020-15568

CRITICAL

CVSS:9.8(Critical)

TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attack...

CWE-9132020