Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

Is Liferay vulnerable to CVE-2023-29017: Critical RCE vulnerability in VM2 Sandbox library?

Written By

Balázs Létai

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.
Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM).

Issue

  • As a customer should I mitigate the risks imposed by vulnerability "CVE-2023-29017 : Critical RCE vulnerability in VM2 Sandbox library".

    Description:

    A security researcher have reported a critical Remote code execution vulnerability in 'vm2', a JavaScript sandbox library downloaded over 16 million times per month via the NPM package repository. VM2 library is  used to run untrusted code in an isolated environment on Node.js, integrated development environments (IDEs) and code editors, function-as-a-service (FaaS) solutions, pen-testing frameworks, security tools, and various JavaScript-related products.

    This vulnerability is rated 10, the highest score in CVSS system as  it could be exploited remotely and the attack complexity also is low. Vulnerability exists due to improper handling of host objects passed to `Error.prepareStackTrace` in case of unhandled async errors.

    Successful exploitation of this vulnerability may allow a remote  attacker to bypass the sandbox protections to gain remote code execution rights on the hypervisor host or the host running the sandbox, run shell commands and perform unauthorized actions on the machine hosting the sandbox.

    VM2 versions 3.9.14 and earlier are impacted by this vulnerability.

Environment

  • Liferay PaaS
  • Liferay SaaS
  • Liferay Cloud
  • Liferay DXP 7.0+

Resolution

  • Liferay DXP, Liferay Cloud, Liferay PaaS and Liferay SaaS are not using (or installing) the VM2 library therefore we are not vulnerable. This issue does not affect them.

Additional Information

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?