CVE-2023-37903: 
JavaScript vulnerability analysis and mitigation

The vulnerability (CVE-2023-37903) affects vm2, an open source vm/sandbox for Node.js, in versions up to and including 3.9.19. The vulnerability was discovered by Xion (SeungHyun Lee) of KAIST Hacking Lab and disclosed on July 12, 2023. The issue involves Node.js custom inspect function that allows attackers to escape the sandbox and run arbitrary code (GitHub Advisory, NVD).

The vulnerability received a Critical severity rating with a CVSS v3.1 base score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). The issue specifically relates to the Node.js custom inspect function implementation in vm2, which can be exploited to break out of the sandbox environment. This vulnerability is distinct from CVE-2023-37466, representing a completely different method of sandbox escape (NetApp Advisory, GitHub Advisory).

Successful exploitation of this vulnerability can lead to Remote Code Execution (RCE), provided the attacker has arbitrary code execution capabilities within the vm2 sandbox context. The impact includes potential disclosure of sensitive information, unauthorized data modification, and system compromise (NetApp Advisory).

There are no patches or known workarounds available for this vulnerability. Users are advised to find alternative software solutions as the project maintainers have not released a fix (GitHub Advisory).