PackageFix / CISA KEV / CVE-2023-29017

CVE-2023-29017 — vm2 Sandbox Escape CRITICAL

🔴 CISA KEV npm CVSS 10.0 · vm2 < 3.9.19 → 3.9.19

vm2 is a popular Node.js sandbox library used to execute untrusted code safely. CVE-2023-29017 allows a complete sandbox escape — code running inside vm2 can break out and execute arbitrary code on the host system. CVSS 10.0.

🔴 Actively Exploited

CVE-2023-29017 is on the CISA Known Exploited Vulnerabilities catalog. This is not a theoretical risk — it is being used in real attacks right now. Fix immediately.

What's affected

PackageEcosystemVulnerableSafe versionFix guide
vm2 npm < 3.9.19 3.9.19 Full fix guide →

How to fix CVE-2023-29017

  1. Update vm2 to 3.9.19
  2. Run npm install
  3. Consider migrating to isolated-vm or a container-based sandbox for stronger isolation
✓ Verify with PackageFix

Paste your manifest into PackageFix to confirm the fix was applied. If CVE-2023-29017 no longer appears in the CVE table, you're clean.

Paste your manifest — get back a fixed version with all CVEs patched in seconds.

Open PackageFix →

No signup · No CLI · No GitHub · Runs 100% in your browser

Frequently Asked Questions

Is vm2 still safe to use?
vm2 has had multiple critical sandbox escapes. The maintainers recommend considering isolated-vm or vm2's own successor packages for production sandbox use.
What can an attacker do with this vulnerability?
A complete sandbox escape — code inside the vm2 sandbox can read the host filesystem, execute system commands, exfiltrate environment variables, and establish network connections.
What's the CVSS score for CVE-2023-29017?
CVSS 10.0 — the maximum possible score. This is one of the most severe npm vulnerabilities ever discovered. Fix immediately.

Related

All CISA KEV Packages

Full actively exploited list

Fix vm2 — Full Guide

npm fix with config examples

Supply Chain Attack Guide

5 attacks npm audit misses

Weekly CVE Digest

This week's critical CVEs