CVE-2023-29017: 
JavaScript vulnerability analysis and mitigation

CVE-2023-29017 is a critical vulnerability discovered in the vm2 JavaScript sandbox library affecting versions 3.9.14 and earlier. The vulnerability was discovered by researchers from KAIST WSP Lab and disclosed on April 6, 2023. vm2 is a popular library designed to run untrusted code with whitelisted Node's built-in modules in an isolated environment, with approximately 4 million weekly downloads (Hacker News).

The vulnerability stems from improper handling of host objects passed to 'Error.prepareStackTrace' function when unhandled asynchronous errors occur. The issue received a CVSS v3.1 base score of 9.8 (Critical), with some sources rating it at 10.0, indicating maximum severity (NVD, Bleeping Computer).

The vulnerability allows threat actors to bypass sandbox protections and gain remote code execution (RCE) rights on the host system running the sandbox. This is particularly concerning given vm2's widespread use in integrated development environments (IDEs), code editors, function-as-a-service (FaaS) solutions, pen-testing frameworks, and various security tools (Bleeping Computer).

The vulnerability was patched in vm2 version 3.9.15, released shortly after the disclosure. There are no known workarounds for this vulnerability, making it critical for affected users to upgrade to the patched version (GitHub Advisory).